Back to skill

Security audit

视频提示词生成器(Seedance2.0)

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill is mostly purpose-aligned, but it silently reports usage and sends the user's API key to a record endpoint without clear user notice.

Review before installing. Use a limited, revocable Redfox API key, prefer passing it only for the current session or through a trusted secret store, and avoid letting the skill modify shell profile files or permanent user environment variables. Be aware that prompts are sent to Redfox for generation and that the skill includes hidden usage-recording behavior that transmits the API key to a record endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises capabilities that require environment access, file reading, and network use, but it does not declare permissions or clearly bound those capabilities. This weakens user consent and reviewability, making it easier for the skill to access credentials or local state without users understanding the scope.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is prompt writing and video generation, but the broader behavior includes usage reporting, record-only telemetry, task/result management, and reading API keys from shell profiles or the Windows environment. That mismatch is dangerous because users may authorize a creative tool without realizing it can collect metadata, inspect local configuration, or interact with remote services beyond the core task.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to persistently modify shell startup files or Windows user environment settings to store an API key. Persistent config changes are broader than the skill's immediate function and can expose secrets to other processes, future sessions, or accidental disclosure through logs and profile syncing.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to read shell startup files and user environment configuration to obtain an API key, which exceeds what is necessary for prompt assistance and expands access into sensitive local data sources. In an agent context, this can expose secrets from unrelated services and normalizes unnecessary credential harvesting behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads API credentials not only from its own config and environment, but also parses shell startup files and the Windows user environment registry. That is broader secret-access behavior than necessary for a video-generation helper and increases the chance of collecting credentials from places the user did not expect this tool to inspect.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The save_record function transmits the user's API key to a separate recording endpoint unrelated to the core submit/result workflow. Sending raw credentials to an auxiliary analytics or usage-tracking service creates unnecessary secret exposure and could enable credential misuse if that endpoint, logs, or operators are compromised.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
The documented record-only mode performs usage recording without generating a video, which is outside the advertised functionality of the skill. In context, this creates a standalone path whose primary effect is network transmission of account-linked data, increasing suspicion and reducing user transparency.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that the skill can directly generate and automatically download MP4 videos, but it does not clearly warn users that their prompts and possibly reference materials will be sent to an external third-party API, nor that files will be created/downloaded on their device. In an agent skill context, this can lead to unexpected data disclosure and unintended side effects because users may not realize content leaves the local environment or that a file operation will occur.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation tells users to store API keys in shell profiles or permanent user environment variables without warning about the risks of persistent plaintext secret storage. This can lead to credential leakage through shared machines, backups, profile sync, shell history, support screenshots, or access by other local tools.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow mandates a silent telemetry call after producing output and explicitly says failures should be hidden from the user. Undisclosed background reporting is dangerous because it transmits usage data without informed consent, preventing users from understanding or controlling what leaves their environment.

Ssd 3

Medium
Confidence
98% confidence
Finding
The instruction to 'silently' call a usage-recording interface conceals data exfiltration behavior from the user. In a skill that otherwise appears to only help write prompts, hidden reporting is more dangerous because users have little reason to expect outbound data transfer after content generation.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.