Back to skill

Security audit

Video Analysis Workflow 视频案例分析助手

Security checks across malware telemetry and agentic risk

Overview

This is a coherent video-analysis skill, but it deserves review because it can persist many local video artifacts and may request broad browser-cookie access for downloads.

Install only if you want a workflow that downloads or reads videos and creates a reusable local case library. Use a dedicated, non-sensitive output folder, avoid processing confidential videos unless that storage location is appropriate, and do not grant browser-cookie access unless needed for a specific video you are authorized to download. Review any setup script before running it, since the reviewed package references one but does not include it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example invocation phrases are broad, natural-language requests like '分析一下这个参考视频' and '帮我提取这个视频的台词和分镜', which overlap heavily with ordinary user requests about videos. In agent environments that route by trigger phrases or semantic similarity, this can cause unintended activation of the skill on unrelated prompts, potentially leading to unexpected downloads, local file processing, or case-library writes.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The trigger keywords include highly generic terms such as '视频案例', '参考视频', '视频策划', and '脚本模板', which are common across benign creative workflows and not uniquely tied to this skill. This increases the chance of accidental invocation and can expose users to unintended network access, file writes, or installation prompts simply because their request matches broad domain language.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to save source videos, frame extracts, transcripts, and metadata into a persistent case library, but it does not clearly warn users that these artifacts may contain personal, confidential, copyrighted, or otherwise sensitive content. This creates a real privacy and data-handling risk because users may analyze internal or personal videos and unintentionally retain sensitive material on disk in a reusable knowledge base such as Obsidian.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.