Back to skill

Security audit

550W视频去字幕

Security checks across malware telemetry and agentic risk

Overview

This skill coherently uses a disclosed 550W AI API integration to upload or submit videos for subtitle/watermark removal, with expected credential and network use.

Before installing, use it only with videos or URLs you are authorized to send to the 550W AI service, and understand that processing may consume account credits. Prefer environment variables for credentials and avoid submitting sensitive or regulated media unless 550W's data handling terms meet your needs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill processes user-supplied videos or URLs by sending them to a third-party service (550W AI), but the user-facing description does not clearly warn that content will leave the platform. This creates a privacy and data-handling risk because users may submit sensitive media or internal URLs without informed consent, and external transfer may expose personal, confidential, or regulated data.

Missing User Warnings

Low
Confidence
83% confidence
Finding
When width, height, or duration are missing, the workflow automatically probes an arbitrary user-provided video URL over the network. If unvalidated, this can enable server-side requests to internal or restricted network locations (SSRF-style behavior), which is more dangerous because the skill explicitly accepts URLs and performs backend fetching as part of normal operation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/api-client.js:20

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/credential-manager.js:66