Back to skill

Security audit

Zight - video instructions capability for agents

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended to extract Zight video metadata and transcripts, but its network fetching is broader than the Zight-only purpose it describes.

Install only if you are comfortable with a skill that makes outbound requests based on supplied links and ingests video transcript text into the agent context. Use it with Zight links you are authorized to process, and prefer a future version that allowlists Zight hosts and validates caption URLs before fetching them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells users it will fetch share pages, metadata, and VTT captions, but it does not clearly warn that using the skill causes outbound requests to third-party Zight domains and may pull potentially sensitive video transcript data into the agent context. This creates a privacy and data-handling risk, especially if users paste confidential share links without realizing the content will be retrieved and processed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.