ZeroCut AI Video

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ZeroCut command-reference skill, but it can send selected resources to ZeroCut storage and write output files locally.

Install only if you intend to use ZeroCut CLI for media generation or document/media conversion. Review file paths, URLs, ffmpeg/pandoc arguments, and output names before running commands, and do not sync private files or sensitive documents unless you are comfortable sending them to ZeroCut’s processing environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The metadata description says to invoke the skill whenever the user needs to generate media, run ffmpeg/pandoc, sync resources, or save outputs, which is broad enough to trigger on many ordinary requests without requiring explicit user consent for tool use or filesystem effects. In an agent setting, overly broad invocation guidance can cause unnecessary execution of powerful CLI actions, including network resource syncing and local file writes, increasing the chance of unintended side effects.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The 'When To Invoke' section uses ambiguous triggers like 'generate image, video, music, or speech audio' and 'save generated results to local output files' without boundaries, approval requirements, or safety checks. Because this skill exposes command execution pathways for ffmpeg and pandoc plus resource syncing, vague activation conditions materially increase the risk of the agent selecting the skill in situations where the user only wanted discussion, not execution.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly documents automatic local file writes, auto-download of sandbox outputs to the local current directory, and automatic creation of missing parent directories, but it does not instruct the agent to warn the user or obtain confirmation before modifying the filesystem. In practice, this can lead to unexpected persistence of generated or converted files, accidental overwrites, and writes to sensitive or unintended paths if output paths are derived from user input.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal