Vpick Ai Video Creator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed VPick video-generation connector with paid cloud processing, but the artifact is coherent and contains no hidden local code or unrelated access.

Install only if you trust VPick and its listed model providers with your prompts and uploaded media. Treat the MCP URL like a password, monitor VPick credit usage before large generations, and regenerate the token if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill description contains very broad trigger phrases such as 'create a video', 'generate video', and 'add voiceover', which are common user intents and can cause the skill to activate in situations where the user did not intend to use this specific third-party service. Because the skill can drive paid generations and media uploads through an authenticated MCP link, unintended invocation can lead to unwanted actions, data disclosure to external providers, and surprise account charges.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal