Security audit

Video Stitcher

Security checks across malware telemetry and agentic risk

Overview

This appears to be a media rendering skill that may fetch user-provided clips and write an output file, with no evidence of hidden or malicious behavior.

Install if you want a skill to render media from clips you provide. Use trusted local files or trusted URLs, avoid internal/private URLs, and set output paths in a dedicated folder to prevent accidental overwrites.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly allows `clips` to be provided as local paths or URLs, but it does not warn users that remote URLs may be fetched and processed. In this context, that omission can lead to unintended network access, processing of untrusted remote media, and possible exposure to SSRF-like behavior or privacy/security surprises in agent environments that can reach internal resources.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The skill requires an `output` path and describes rendering/export behavior, but it does not clearly warn that execution will create or overwrite files at that destination. In automated workflows, this can cause accidental data loss or clobber important files if the output path is user-controlled or defaults are misunderstood.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.