Back to skill

Security audit

AI Video Gen CN

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward AI video-generation skill, with normal but under-documented privacy, cost, dependency, and file-overwrite risks.

Install only if you are comfortable sending prompts, narration, and generated media to third-party AI providers and potentially incurring API costs. Use dedicated API keys with spending limits, keep .env out of source control, avoid confidential or regulated content unless provider policies allow it, and write outputs to fresh filenames to avoid accidental overwrites.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

Tainted flow: 'video_url' from requests.get (line 125, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
# Download video
        video_path = self.output_dir / f"video_{int(time.time())}.mp4"
        video_data = requests.get(video_url).content
        with open(video_path, 'wb') as f:
            f.write(video_data)
Confidence
82% confidence
Finding
video_data = requests.get(video_url).content

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises capabilities that require access to environment variables, filesystem writes, network calls, and shell/FFmpeg execution, but it does not declare permissions or boundaries for those actions. This creates a real security and governance risk because users and host systems cannot make an informed trust decision, and the shell/network combination increases the potential blast radius if the underlying scripts are misused or compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quick-start explicitly instructs users to store live API secrets in a `.env` file but does not warn them to keep that file out of source control or protect it locally. In a developer workflow, this omission materially increases the chance of accidental credential exposure through Git commits, screenshots, shared archives, or copied examples, which could lead to unauthorized API usage and billing abuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to configure API keys and use external providers like OpenAI, LumaAI, Runway, ElevenLabs, and Replicate, but it does not disclose that prompts, narration text, images, and possibly video/media inputs may be transmitted to those third parties. This creates a privacy and data-handling risk because users may unknowingly submit sensitive or regulated content to external services under separate retention and usage policies.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill routes user prompts and potentially generated or uploaded media to external providers such as OpenAI, Replicate, LumaAI, Runway, and ElevenLabs, yet the description does not warn users that their text, images, audio, or video may leave the local environment. This is dangerous because users may unknowingly transmit sensitive, proprietary, or regulated content to third parties with separate retention and training policies.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documented workflow writes output media files and performs editing operations, but it does not warn that generated outputs or editing steps may overwrite existing files or modify local media artifacts if unsafe paths are chosen. While this is less severe than arbitrary code execution, it can still cause data loss or accidental corruption of user content during routine use.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The script writes a predictable temporary file named filelist.txt in the current working directory, which can create race-condition or symlink risks in shared directories. An attacker with filesystem access could pre-create or replace that path to overwrite arbitrary files or influence FFmpeg's input list.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase "视频制作" is broad and can match many ordinary user requests about making or editing videos, increasing the chance this skill activates outside a clearly intended scope. Because the skill can invoke external AI/video services and potentially consume API-backed resources, accidental activation can lead to unintended tool use, cost, and confusing behavior.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The English trigger "generate video" is highly generic and likely to appear in normal conversation, making reliable scoped activation difficult. In a skill that can call third-party generation services and use secrets, this raises the risk of accidental invocation, unintended external requests, and unnecessary API consumption.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger "ai video" is ambiguous and likely to match casual discussion rather than a deliberate request to run this specific skill. Since the skill's stated capabilities include image generation, video synthesis, voice-over, and FFmpeg editing, accidental activation could chain into multiple external operations with cost and privacy implications.

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
replicate>=0.20.0
requests>=2.31.0
pillow>=10.0.0
Confidence
92% confidence
Finding
openai>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
replicate>=0.20.0
requests>=2.31.0
pillow>=10.0.0
python-dotenv>=1.0.0
Confidence
92% confidence
Finding
replicate>=0.20.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
replicate>=0.20.0
requests>=2.31.0
pillow>=10.0.0
python-dotenv>=1.0.0
Confidence
95% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
replicate>=0.20.0
requests>=2.31.0
pillow>=10.0.0
python-dotenv>=1.0.0
Confidence
97% confidence
Finding
pillow>=10.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
replicate>=0.20.0
requests>=2.31.0
pillow>=10.0.0
python-dotenv>=1.0.0
Confidence
88% confidence
Finding
python-dotenv>=1.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
73% confidence
Finding
requests

Known Vulnerable Dependency: pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
84% confidence
Finding
pillow

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
61% confidence
Finding
python-dotenv

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.