Back to skill

Security audit

Tencent MPS Intl.

Security checks across malware telemetry and agentic risk

Overview

This is a broad Tencent Cloud media-processing skill, but it includes a feature framed as bypassing platform duplicate detection and several high-impact cloud, credential, and file-transfer behaviors that need review.

Install only if you are comfortable giving the skill Tencent Cloud credentials and allowing it to upload, process, store, download, and share links to media through Tencent Cloud services. Avoid using the deduplication/bypass feature, use least-privilege temporary credentials, keep sensitive media out unless you have consent and a retention plan, and review commands carefully before confirming paid or upload operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (63)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""
    cmd = [sys.executable, "-m", "pip", "install", "--upgrade", "--quiet"] + specs
    print(f"⏳ Auto-installing/upgrading missing dependencies: {', '.join(specs)}", file=sys.stderr)
    result = subprocess.run(cmd, capture_output=True, text=True)
    if result.returncode != 0:
        print(
            f"❌ Auto-install failed. Please run manually:\n"
Confidence
93% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and orchestrates shell execution, network access, environment-variable use, and local/COS file operations, but no explicit permission declaration is present. This creates a trust and review gap: a caller may invoke a skill with broad operational capabilities without clear disclosure or policy gating, increasing the chance of unintended command execution or data exposure.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documentation explicitly frames the feature as modifying videos to bypass platform duplicate-content detection, which materially changes the skill from neutral media processing into evasion of third-party enforcement systems. In this skill context, that is more dangerous because the examples and mandatory rules operationalize the abuse case rather than merely describing a generic transform.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
Labeling the capability as 'Video Deduplication' while immediately defining it as bypassing platform duplicate detection is a deceptive presentation of an evasion tool. That mismatch increases misuse risk by making policy-circumvention functionality appear like ordinary media processing.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script automatically downloads every generated image URL to a user-specified local directory using urllib.request.urlretrieve without validating scheme, host, size, or content type. Because the returned URLs originate from remote service responses and may also be third-party origins per the script's own comments, this expands the skill from API orchestration into arbitrary remote content retrieval, creating SSRF-like/internal reachability and unsafe file download exposure beyond the declared task wrapper behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The credential helper does more than read standard environment variables: when credentials are absent it imports mps_load_env and attempts to auto-load them from system files such as /etc/environment or shell profiles. That broadens the script's authority to harvest secrets from local configuration stores, which is unnecessary for a normal image-generation wrapper and dangerous in an agent context because it accesses local sensitive data outside explicit user input.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script expands its trust boundary by auto-loading cloud credentials from system files when environment variables are absent. In an agent/skill context, this can cause the tool to consume broader host credentials than the caller intended, increasing the risk of unintended cloud access and secret exposure through downstream API use or diagnostics.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The script explicitly states its purpose is to modify video frames to bypass platform duplicate-content detection, which is an evasion capability rather than a neutral media-processing function. In this skill context, that makes the behavior inherently dangerous because it facilitates circumvention of platform trust/safety controls and can be used to mass-republish prohibited or abusive content while avoiding detection.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script silently expands a local HTML-generation workflow into a remote upload workflow by automatically sending local files to COS and returning a presigned/public URL. In a media-processing skill, users may provide sensitive local videos or images assuming they remain local, so this behavior creates an unintended data exfiltration/privacy risk even if it is presented as a convenience feature.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script goes beyond read-only task inspection by generating COS pre-signed download URLs for output objects. That grants temporary access to media artifacts and can expose sensitive outputs in terminal logs, shell history, CI logs, or copied chat transcripts if the operator did not explicitly request a shareable link.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
When credentials are absent from the current environment, the script automatically loads them from system files via mps_load_env. This expands the trust boundary and may cause the tool to access secrets from locations the user did not intend, which is risky in an agent or automation context where file access should be explicit.

Context-Inappropriate Capability

Low
Confidence
76% confidence
Finding
When credentials are absent, the script automatically loads environment variables from system files, expanding the trust boundary beyond the current process environment. In an agent context, this can cause unexpected use of ambient secrets and makes it easier to run cloud actions with credentials the operator did not intend to expose to this task.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The loader searches for credentials in broad, user-scoped locations including parent-directory .env files, ~/.env, ~/.bashrc, and ~/.profile. For an imported skill helper, this exceeds least-privilege and can silently ingest unrelated secrets from the host environment, especially when the current working directory is attacker-influenced or shared across projects.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation states that <SKILL_DIR>/.env is loaded, but the code adds only the skill directory path itself to _ENV_FILES. This mismatch can cause operators to place credentials where they believe they will be used, while the program actually falls back to broader sources like parent .env files or shell startup files, increasing accidental secret exposure and misconfiguration risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section encourages handling local files, COS uploads/downloads, and environment-variable validation, but it does not warn about exposing sensitive local paths, confidential media, or credentials during execution and logging. In an agent setting, that omission can lead to accidental processing, transfer, or disclosure of private data and secrets, especially when local-file and env-check flows are used automatically.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation states that `--local-file` is automatically uploaded to COS before processing, but it does not present this as a privacy or data-handling warning. Users may supply sensitive local media assuming purely local processing, causing unintended transmission and cloud storage of private content. In this media-processing context, that omission is more dangerous because the files can contain sensitive audio, faces, documents, or other personal data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill accepts remote media via `--url` for audio/video understanding, but the documentation does not warn that submitting a URL causes third-party retrieval and analysis of the referenced media. This can expose private or presigned URLs, internal resources, or confidential media to external processing, and the risk is elevated here because the feature is specifically designed to ingest and analyze user-supplied content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly supports passing SecretId and Secret Key on the command line and enabling verbose logging, but it gives no warning that command-line arguments may be exposed through shell history, process listings, CI logs, or terminal transcripts. In a cloud-storage skill, this omission increases the chance that users or downstream agents will handle long-lived credentials unsafely and accidentally disclose them.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The download guidance describes writing to local paths, including automatic default saves, without warning that existing files may be overwritten or that local filesystem state will be modified. In an agent workflow, this can lead to unintended data loss or corruption if a generated path collides with an existing file or if users are unaware where artifacts will be written.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file promotes an evasion-oriented use case without warning users about platform policy violations, account enforcement, or integrity risks. In this context, the absence of safety messaging lowers friction for abusive use and signals tacit approval of circumvention.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation says local file comparison will 'Auto-upload to COS and Generates Links' but the example provides no warning that supplying a local path may transmit local media to cloud storage. This can cause unintended data exfiltration of sensitive files because a user may reasonably assume a local comparison tool keeps data local, especially given the earlier 'does not call MPS API and incurs no charges' framing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly supports uploading local images to COS and submitting public image URLs to Tencent Cloud MPS, but it does not warn users that these images may contain personal, biometric, or otherwise sensitive data and will be transmitted to and processed by an external cloud service. In this skill context, the risk is elevated because the examples involve human model images and body-shape transformation, which commonly implicate privacy-sensitive and potentially regulated data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly supports uploading local files and sending image content to Tencent Cloud MPS for OCR and image comprehension, but it provides no warning that images may contain sensitive personal, financial, or proprietary data. In a skill that encourages document understanding and product/invoice extraction, this omission can cause users to transmit regulated or confidential content to a third-party service without informed consent or data-handling safeguards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly supports `--local-file` input and output artifact generation, which implies automatic upload of local content to COS and persistence of generated cutouts/results, but it does not warn users about the resulting external data transfer and storage side effects. In a media-processing skill, this can lead to unintended upload of sensitive local files or retention of derived artifacts containing personal or confidential visual data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation describes sending model and clothing images to Tencent Cloud MPS and storing generated outputs in COS, but it does not clearly warn users that their images and results are transmitted to external cloud services. Because these inputs may contain personal, biometric, commercial, or otherwise sensitive data, omission of this disclosure can lead users to share data without informed consent or appropriate governance controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.