AI Video Editor

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a disclosed Sparki video-editing integration that uploads user-selected MP4 files for processing and downloads results, with no artifact-backed evidence of deception, persistence, credential theft, or unrelated data access.

Before installing, confirm you are comfortable uploading selected MP4 files to Sparki's remote service and ensure the skill is only used on videos you are allowed to share externally. The manifest should ideally declare its network, file, environment, and execution needs more explicitly, but the reviewed evidence does not support a Review or malicious classification.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill advertises and relies on sensitive capabilities including environment access, file read/write, network access, and shell/Python execution, yet the manifest does not declare explicit permissions. This weakens review and user consent because the effective capability surface is broader than what a consumer may expect from the permission model.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal