Back to skill

Security audit

Tencent MPS

Security checks across malware telemetry and agentic risk

Overview

This Tencent Cloud media-processing skill appears functional and mostly purpose-aligned, but it needs Review because it can auto-install packages, broadly auto-load cloud credentials, move media to and from Tencent Cloud, and includes an explicit duplicate-detection evasion workflow.

Install only if you are comfortable granting this skill access to Tencent Cloud credentials, COS buckets, local media files, and billable MPS operations. Use least-privilege Tencent credentials, avoid storing broad secrets in shell profile files, review commands before approving execution, avoid processing sensitive or unlicensed media, and do not use the dedupe, voice-cloning, or watermark-removal features for impersonation, copyright circumvention, or platform-policy evasion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (63)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""
    cmd = [sys.executable, "-m", "pip", "install", "--upgrade", "--quiet"] + specs
    print(f"⏳ 正在自动安装/升级缺失依赖:{', '.join(specs)}", file=sys.stderr)
    result = subprocess.run(cmd, capture_output=True, text=True)
    if result.returncode != 0:
        print(
            f"❌ 自动安装失败,请手动执行:\n"
Confidence
96% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to invoke local Python scripts that can read environment variables, access local files, write files, perform network operations, and execute shell commands, yet it declares no permissions. This creates a capability/permission mismatch: an orchestrator or reviewer may treat the skill as low-risk while it can access secrets, local media, and remote cloud resources, increasing the chance of unintended secret exposure, file access, or costly external actions.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The script automatically downloads remote URLs returned by the MPS task using urllib.request.urlretrieve() without validating scheme, hostname, size, or content type. If the returned URL is malicious, unexpected, or points to an internal resource via a compromised upstream/API response, this can cause untrusted file writes, SSRF-like access from the host, or disk consumption outside the skill's stated scope.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script automatically generates and prints COS pre-signed download URLs for task output media. These URLs grant temporary direct access to cloud objects and may be exposed through terminal history, logs, screenshots, or downstream tooling, which can unintentionally widen access to media outputs.

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
The script auto-loads cloud credentials from system profile files when environment variables are absent, even though it is primarily a task query utility. This increases surprise and credential exposure risk because the tool may silently pull privileged secrets from broader system configuration rather than requiring explicit user-provided credentials.

Context-Inappropriate Capability

Medium
Confidence
73% confidence
Finding
The code forwards any user-provided ScheduleId directly to the backend, which can invoke arbitrary preconfigured MPS console workflows beyond the script's stated purpose. In an agent setting, this weakens control boundaries and may trigger unintended AI capabilities or data-processing pipelines with the caller's credentials and media inputs.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This module is documented and presented as a polling utility, but it also contains side-effecting capabilities to upload local files, download remote outputs, and generate local HTML files. That hidden expansion of scope increases the chance that callers import or invoke it under the assumption that it only reads task state, leading to unintended data transfer or filesystem writes in higher-trust automation contexts.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The CLI advertises itself only as a task polling tool, while the file also implements additional transfer and file-generation behaviors. Misleading operator-facing descriptions can cause unsafe use in automation, because users may not realize the module can move data or write files when reused elsewhere.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description enumerates a very large set of trigger phrases spanning many loosely related media tasks, with only a minimal exclusion for recommendation-only queries. This broad activation scope can cause the agent to invoke the skill on ambiguous user requests, increasing the chance of unintended data handling, unnecessary external service calls, or bypass of more appropriate tools and policy checks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document encourages routine environment validation for MPS/COS credentials but does not warn that the check necessarily touches configured secrets and may reveal whether sensitive keys are present or valid. In an agent workflow, this can normalize secret-handling actions and lead users to expose, verify, or troubleshoot credentials in conversational contexts that are logged or visible to the model.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The documentation explicitly supports uploading local images and downloading generated videos to a local directory or cloud storage, but it does not warn users that these actions transfer local files off the machine and write new files back to the user's system or COS bucket. In an agent setting, that omission can lead to unintended data exposure or unexpected file writes if users do not realize the side effects of these parameters.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to submit local files, remote URLs, and COS objects for audio/video understanding, including speech recognition and content analysis, but it does not warn that media may contain sensitive personal, biometric, or confidential information that will be uploaded to Tencent Cloud services. In this context, omission of a privacy/data-egress warning can cause users to unintentionally transfer regulated or sensitive content off-host or across trust boundaries, especially for audio transcription, face/scene analysis, and comparison workflows.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documentation states that downloads default to saving as `./<filename>` and recommends local filesystem writes, but it does not warn about overwriting existing files or the risks of writing into the current working directory. In an agent-driven workflow, this can lead to accidental clobbering of local files, especially when filenames are derived from remote object keys or when commands are executed in shared workspaces.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The document hard-codes broad trigger phrases such as '视频去重', '视频防重', and especially '规避重复检测', and then mandates use of a tool explicitly intended to alter media to bypass platform duplicate-content detection. This creates a reliable path for the agent to assist evasion-oriented requests without requiring clarifying questions or legitimacy checks, increasing the risk of misuse for policy circumvention and deceptive content repackaging.

Missing User Warnings

High
Confidence
97% confidence
Finding
The file describes the feature as modifying video frames to '规避平台重复内容检测' and presents it as a standard supported workflow, but provides no warning, restriction, or refusal guidance. In this context, the skill is not merely generic editing; it is directly positioned to help users evade platform enforcement mechanisms, making misuse substantially more likely and more dangerous.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly promotes voice cloning and timbre replication but provides no warning about consent, privacy, impersonation, or misuse risks when users upload real people's audio or video. In a capability centered on cloning human voices, omission of guardrails materially increases the chance of non-consensual impersonation, fraud, or privacy violations, making this more dangerous than a generic media-processing feature.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation states that verbose mode outputs full request parameters and responses, but gives no warning that these may include sensitive content such as input text, URLs, bucket names, task metadata, or returned identifiers. This can lead to accidental disclosure through terminal history, shared logs, CI output, or support artifacts, especially in a tool handling media and cloned-voice data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation states that local files will be 'automatically uploaded to COS' to generate links, but it does not clearly warn users that local media will be transmitted to a cloud service. This can cause unintended disclosure of sensitive videos or images, especially because the tool is framed as local and no-cost, which may lower user suspicion about network transfer and data residency implications.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The examples explicitly promote watermark removal ('去水印前后对比') without any authorization, ownership, or legal-use constraint. In a media-processing skill, this lowers friction for misuse by normalizing copyright-management circumvention and unauthorized modification of protected content.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The documentation advertises a `--download-dir` option that writes task results to a local directory, but it does not explicitly warn users that running the command will create or overwrite local files. In an agent/automation context, undocumented filesystem side effects can surprise operators and increase the risk of writing sensitive media into unintended locations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill describes sending source images and garment images via public URLs or COS to Tencent Cloud MPS for processing, but it does not warn about data egress, third-party processing, or privacy implications. Because these images may contain people, apparel, or commercial assets, omission of an explicit disclosure can lead to unintentional transfer of sensitive or regulated content outside the local environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to submit images via URL, COS, or local upload to a remote MPS/Gemini-backed service, but it does not disclose that image contents may leave the local environment and be processed by third-party cloud systems. This can lead users to upload sensitive images containing personal data, documents, or confidential business information without informed consent or appropriate handling controls.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation explicitly supports uploading local files to COS and writing outputs to cloud storage, but it does not warn users that local content will be transferred to Tencent Cloud and may persist in input/output buckets. In a media-processing skill, this can lead to accidental disclosure or retention of sensitive images and derived artifacts, especially when users assume processing is local or ephemeral.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to submit model and clothing images to Tencent MPS/COS and poll for results, but it does not warn that these images are transmitted to third-party cloud services and may contain personal, biometric, or commercially sensitive data. In the context of AI try-on, model photos often depict identifiable people, so omission of privacy and data-handling notice can lead to unintended disclosure or non-compliant processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to upload local media to COS, submit remote media URLs, and optionally provide a callback URL, but it does not warn that these actions transmit user content and metadata to external cloud services. In a media-processing skill, this omission can cause unintentional disclosure of sensitive files, internal URLs, or webhook endpoints, especially when users may assume processing is local or do not understand the trust boundary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:39