Back to skill

Security audit

Shinewilzhang Video Generate

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward video-generation helper that uses a disclosed external API and writes the requested output file, with some practical privacy and overwrite cautions.

Install only if you are comfortable sending your prompt and any selected first-frame image to the Ark/Volcengine service. Use a dedicated API key, avoid sensitive local images or internal URLs, install the required SDK from a trusted source, and choose an output path where overwriting a file would not matter.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation explicitly describes network access, environment-variable credential use, and downloading a file, but the skill declares no corresponding permissions. This creates a transparency and policy gap: users and platforms may not realize the skill can access secrets and make outbound requests, increasing the risk of unintended credential use or data transfer.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The documentation says the generated video will be downloaded to the user-specified path, but it does not warn that an existing file may be overwritten or that arbitrary local paths may be written. In context, this is less severe because the filename is an explicit argument, but it still poses a risk of accidental file clobbering or writes to sensitive locations if the caller passes an unsafe path.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.