Back to skill

Security audit

auto-video-generator

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill needs review because it overstates working video generation and includes unsafe or under-disclosed access to local files, workspace code, environment secrets, and web content.

Install only after review. Treat this as an unfinished or misleading video tool: do not run it on authenticated, internal, financial, customer, or secret-bearing pages; do not install untrusted template archives; scrub sensitive environment variables before using the VS Code helper; and verify that a real video is produced before relying on any success message.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (27)

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The scenario-approval flow claims recording will not start without explicit user approval, but the sample control flow mishandles user choices and does not correctly implement the documented actions. In a recording tool, broken approval logic can lead to unintended execution, skipped review, or user confusion about what will be recorded and narrated.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill states that default full-screen recording and bypassing region confirmation are forbidden, yet later examples allow disabling region selection and effectively reverting to unsafe defaults. That contradiction weakens the privacy control the document claims to enforce and can cause accidental recording of browser chrome, taskbars, unrelated apps, or sensitive on-screen data.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The `detect` command advertises project analysis but returns fixed, fabricated results regardless of input. This is a security-relevant integrity issue because users may make trust or deployment decisions based on false framework, auth, or component detection, causing unsafe assumptions about the target environment.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The `generate` workflow presents realistic progress and a success message but does not generate any video output. In an agent skill, this deceptive behavior can mislead downstream automation into believing media artifacts were created, breaking auditability and potentially causing later steps to publish, trust, or distribute nonexistent or stale outputs.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The install_template method extracts a user-supplied tar.gz archive directly with tar.extractall() into the user's template directory without validating archive member paths. This creates a classic archive traversal risk where malicious entries containing absolute paths or '..' can overwrite arbitrary files outside the intended directory, making this more than just feature creep beyond video generation.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The detector recursively reads and analyzes workspace source code to infer frameworks, components, layout, and authentication patterns, which is broader access than is clearly required for a video-generation skill. Even though it does not exfiltrate data in this file, inspecting source for auth-related keywords can expose sensitive implementation details and creates an unnecessary privacy and trust boundary violation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Authentication-pattern detection scans source files for terms like JWT, OAuth, session, cookie, login, and authenticate, which is a sensitive code-inspection capability unrelated to the stated demo-video purpose. In the context of a VS Code extension operating on user workspaces, this increases risk of collecting security-relevant details about the project without a clear need or explicit notice.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The extension passes the entire parent process environment into the spawned Python process via `env: { ...process.env }`. In a VS Code context, that environment may contain cloud tokens, API keys, proxy credentials, or enterprise secrets unrelated to video generation, and any compromised or overly permissive Python helper can read and exfiltrate them.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README encourages generating videos directly from arbitrary URLs but does not warn users that the tool will actively load remote pages in an automated browser, potentially transmitting cookies, IP address, browser fingerprints, and any page content processed for narration or rendering to third parties and network-backed dependencies. In a skill that automates browsing and media generation, this omission can lead users to process sensitive internal URLs or authenticated pages without understanding the privacy and data-exposure implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises generating videos from URLs/local pages with browser automation and AI voice narration, but it does not clearly disclose that page content may be accessed, extracted, and potentially sent to external services such as TTS providers. This can lead users to process sensitive internal pages or local files without understanding the privacy and data-flow implications, increasing the risk of unintended data exposure.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The example hardcodes a Chinese locale without indicating user consent or feature-specific necessity. Locale and language defaults can affect content rendering, authentication flows, text generation, and audio output, potentially producing recordings or narration that do not match the user's environment or exposing assumptions about user profile/region.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
Forcing a Chinese TTS voice by default without language selection can generate unintended narration, misrepresent product behavior, and create privacy or compliance issues in multilingual environments. In an automated demo/recording context, incorrect narration language can also hide the fact that the tool is making assumptions about user locale and audience.

Vague Triggers

Medium
Confidence
81% confidence
Finding
技能触发条件描述过于宽泛,覆盖“创建演示、录制用户旅程、生成文档视频”等常见请求,容易在用户未明确要求自动浏览、录屏、访问网页或生成媒体时被触发。对一个会打开浏览器、访问 URL、读取页面并录制内容的技能来说,宽泛触发会放大意外执行和非预期数据采集的风险。

Missing User Warnings

Medium
Confidence
94% confidence
Finding
文档描述会扫描 `./_bmad-output/prd`、`./docs/prd`、`./prd` 并读取所有 Markdown 内容以查找 PRD,但没有明确告知用户会遍历和读取工作区本地文件。即使范围看似有限,这仍属于未经充分披露的本地内容访问,可能把无关但敏感的产品文档、计划、内部说明纳入处理流程。

Missing User Warnings

Medium
Confidence
96% confidence
Finding
该技能会导航到目标 URL、执行真实交互并录制页面内容,但文档未充分提醒这可能访问外部网站、触发登录态、暴露页面中的敏感信息,并把内容保存到视频文件中。由于录屏会捕获实际界面、数据和可能的个人信息,这比普通网页访问更敏感,尤其在演示内部系统时影响更高。

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
示例将浏览器 `locale` 固定为 `zh-CN`,会在未经用户同意的情况下强制语言/地区环境,可能改变页面展示、日期/货币格式、实验分流甚至合规弹窗行为。对录制和自动交互类技能而言,这会影响所见内容与真实用户环境的一致性,并可能误导用户或生成错误演示。

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Installing a template package silently writes files into the user's home directory and performs archive extraction on attacker-controlled content. In the context of a video-generation skill, package installation is ancillary functionality, so unexpected filesystem modification and package deployment increase risk, especially when combined with unsafe tar extraction.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises URL-based video generation and notes that Edge TTS requires network access, but it does not clearly warn users that page content, interaction data, or generated narration text may be transmitted to external services. In a VS Code extension context, users may run this against internal apps or sensitive staging environments, so missing disclosure creates a real privacy and compliance risk.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The README describes automatic framework detection, authentication detection, project analysis, performance dashboards, and historical logs without explaining what workspace data is inspected or how long operational data is retained. In an extension that scans project folders and records usage metrics, lack of transparency can expose sensitive project metadata and surprise users in regulated or proprietary environments.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The extension reads multiple workspace files during source discovery and analysis while only showing generic progress messages such as 'Scanning project files,' without a clear user-facing disclosure of the scope and sensitivity of inspection. This weak transparency can undermine informed consent and hide unexpectedly broad local code access from users.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code logs the full generated command line, including user-supplied arguments such as file paths, PRD paths, and URLs, directly to the output channel. These values can contain sensitive internal hostnames, query parameters, access tokens, usernames, or confidential project paths, causing inadvertent disclosure to anyone viewing logs or collecting extension diagnostics.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The child process is started with a full copy of `process.env`, which means credentials present in the VS Code host environment are automatically exposed to the Python script. This increases the blast radius of any bug, supply-chain compromise, or malicious behavior in the helper script because it grants access to secrets the feature does not need.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes arbitrary URL input and share-link functionality but does not warn that submitted pages and generated videos may contain sensitive data or become accessible to others. In a tool that records webpages and produces downloadable/shareable artifacts, this omission can lead users to unintentionally process internal dashboards, authenticated sessions, or confidential content and expose the resulting outputs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation encourages use of localhost, local file paths, and internal-style resources without warning that the service may ingest sensitive local or intranet content. In this skill's context, a browser automation/video generation service can capture private application state, internal admin panels, or local files and convert them into stored artifacts, creating SSRF-like exposure and data leakage risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The download/share workflow describes easy distribution of generated MP4s but gives no indication of retention period, access control, or whether share links are public or guessable. Because the output may contain recorded UI states, tokens, personal data, or confidential business screens, unclear sharing semantics materially increase the chance of accidental disclosure.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.