Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- scripts/aivideo-client.mjs:5
Security audit
zxcvbnm-mnbvcxz
Security checks across malware telemetry and agentic risk
Overview
This is a disclosed AIVideoMaker API wrapper that requires an API key and can create or cancel video tasks, with no hidden or unrelated behavior found.
Install only if you trust the publisher and are comfortable providing an AIVideoMaker API key. Review prompts, image payloads, durations, and task IDs before running commands because they are sent to AIVideoMaker and may consume credits or cancel an existing task.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
66/66 vendors flagged this skill as clean.
Static analysis
Detected: suspicious.env_credential_access