Security audit

VideoDB Monitoring

Security checks across malware telemetry and agentic risk

Overview

This screen-recording skill appears purpose-related, but it can run persistent screen/audio monitoring, index sensitive activity, and expose recordings with too little user control or warning.

Review before installing. Only use this if you intentionally want persistent screen and possible system-audio capture sent to VideoDB for indexing/search, and make sure you understand how to stop the monitor, delete recordings/transcripts, protect API keys, and avoid generating or sharing recording URLs that may expose private data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill uses and manages environment-backed secrets such as `VIDEODB_API_KEY`, but the skill metadata does not declare the corresponding permission or clearly communicate that secret access is required. This weakens policy enforcement and informed consent because an agent may handle credentials and privileged configuration without an explicit permission boundary.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior goes beyond passive 'screen recording capabilities' and includes starting a persistent monitor, requesting screen/audio capture permissions, indexing captured content, storing runtime state, and managing background processes. This mismatch is dangerous because users and orchestrators may authorize the skill expecting simple recording utilities while it actually enables continuous surveillance-style collection and persistence.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill description says only 'Screen recording capabilities' and does not clearly disclose that running this script will actively request screen-capture and microphone permissions, start a persistent recording session, and keep it running indefinitely. In an agent-skill context, incomplete disclosure around continuous recording materially increases the risk of users enabling surveillance functionality without informed consent.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code reads a PID from a mutable config file and sends SIGTERM/SIGKILL to that process if it appears alive. Because PID ownership is not verified, a tampered or stale PID can cause termination of an unrelated local process, creating a local denial-of-service condition beyond the stated recording purpose.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill does more than passive retrieval: it can start and stop transcription and indexing jobs over live screen and system-audio streams. That expands the capability from querying existing recordings into controlling ongoing monitoring, which is privacy-sensitive and materially different from the stated description. In an agent setting, this can enable unexpected surveillance actions without clear user awareness or consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README promotes screen recording, searching past activity, and transcript generation but does not clearly warn that highly sensitive screen contents and spoken audio may be continuously captured, stored, indexed, and shared. In an agent skill context, this can lead users to enable powerful surveillance-like capabilities without informed consent, increasing the risk of credential, PII, or confidential business data exposure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The examples encourage querying historical activity and meeting audio transcripts without warning that prior user actions and conversations may be indexed and retrievable later, or that generated stream/share URLs may expose those recordings to others. This omission is dangerous because users may treat the feature as a transient helper rather than a searchable archive of sensitive activity.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill promotes screen recording, system-audio capture, search, summaries, and transcripts without a clear privacy warning or explicit consent step. Because these features can capture sensitive on-screen information, credentials, conversations, and third-party data, omission of a strong warning materially increases the risk of covert or overbroad collection.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs the agent to ask for and set the user's API key directly, but gives no warning about secret handling, redaction, secure input, or avoiding echoing the key in logs/history. This can expose long-lived credentials through chat transcripts, shell history, config stores, or accidental output.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The script logs the API key prefix to both a log file and console output. Even partial credential disclosure is sensitive because logs are often retained, aggregated, or exposed to other local users and tools, and it unnecessarily reveals secret material without warning.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The start-indexing flow enables transcript generation plus audio and visual indexing in one command, but provides no user-facing warning or consent check despite operating on screen and system-audio data. In this skill context, that means an agent can activate highly privacy-sensitive analysis over potentially confidential content with little friction.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The stream command generates shareable URLs for recorded screen content and explicitly encourages sharing the player page, yet there is no prior warning, authorization check, or data-classification safeguard. Because screen recordings may contain credentials, internal documents, or personal data, exposing a shareable link can directly leak sensitive information to unintended recipients.

Session Persistence

Medium

Category: Rogue Agent
Content: If **not `true`**, start the monitor: ```bash cd {baseDir} && nohup npx tsx monitor.ts > ~/.videodb/logs/monitor.log 2>&1 & disown && sleep 3 ``` Verify it started:
Confidence: 93% confidence
Finding: nohup

Session Persistence

Medium

Category: Rogue Agent
Content: If **not `true`**, start the monitor: ```bash cd {baseDir} && nohup npx tsx monitor.ts > ~/.videodb/logs/monitor.log 2>&1 & disown && sleep 3 ``` Verify it started:
Confidence: 93% confidence
Finding: disown

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal