VPick AI Video Creator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed remote VPick video-creation connector; it sends prompts and media to external services and may spend VPick credits, but no hidden local code or purpose-mismatched behavior was found.

Install only if you are comfortable using VPick as the remote service for video generation. Treat the MCP URL as a password, avoid uploading sensitive or rights-restricted media unless VPick and its providers may process and store it, and confirm the model, duration, output count, and approximate credit cost before running generation jobs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description contains very broad trigger phrases such as 'create a video', 'generate video', and 'add voiceover', which are likely to match many common user requests and cause this skill to be invoked outside narrowly intended contexts. Over-broad routing can expose users' prompts and uploaded media to this third-party service unexpectedly, increasing the chance of unnecessary data disclosure, unintended charges, and inappropriate tool activation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal