Video Clip

Security checks across malware telemetry and agentic risk

Overview

The local video clipper is straightforward, but the skill also documents an under-disclosed remote AI editing flow that can upload videos and expose an API key.

Install only if you are comfortable reviewing the AI Edit section carefully. Basic clipping appears local, but smart editing can send video files to an external service and uses a persisted API key; avoid private media unless the endpoint, retention, and access controls are acceptable, and do not run the shown key-check command where logs or other users could see the output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The manifest and top-level description present the skill as a local ffmpeg-only clipper, but the file also contains a complete remote AI-edit workflow that uploads user videos to an external API. This mismatch is dangerous because operators may approve or invoke the skill under a local-only trust model while hidden functionality enables off-device data transfer of potentially sensitive media.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The embedded AI-edit block performs network upload, polling, and remote processing even though the stated purpose of the skill is simple local clipping. Including unrelated remote-processing capability expands the attack and privacy surface, creating a path for user media to leave the local environment without being central to the advertised function.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The AI Edit section instructs users to use a remote service for smart editing but does not provide a clear privacy warning that the video file and related metadata will be uploaded to an external API. For media files, this can expose sensitive visual, audio, or embedded metadata content, especially if users assume the skill remains local based on the overall description.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal