Tencent VOD

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly aligned with Tencent VOD work, but it needs review because it can automatically change the Python environment, read and write credential files, and retain cloud-media task data locally.

Install only if you are comfortable granting a local helper access to Tencent Cloud VOD credentials and paid media/AIGC operations. Review the runtime auto-upgrade behavior, avoid running it in a shared or production Python environment, keep dotenv files private, and do not submit confidential media URLs, prompts, or session context unless that data is approved for Tencent Cloud processing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (21)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: "--upgrade", "--quiet", ] print(f"⏳ 正在自动升级 tencentcloud-sdk-python >= {min_ver_str} ...", file=sys.stderr) result = subprocess.run(cmd, capture_output=True, text=True) if result.returncode != 0: print( f"❌ 自动升级失败，请手动执行:\n"
Confidence: 95% confidence
Finding: result = subprocess.run(cmd, capture_output=True, text=True)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The documentation exposes generic function-calling capability via arbitrary `--tools` and `--tool-choice` parameters, which goes beyond a VOD-specific command generator and effectively turns the skill into a general-purpose agent interface. In a constrained skill context, this capability expansion is dangerous because it can enable unexpected external action orchestration or broaden the attack surface for prompt/tool abuse contrary to the declared scope.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The examples document broad, non-VOD use cases such as general chat, poetry, math proofs, and weather-tool demos, which materially exceed the stated purpose of a Tencent VOD operation-command assistant. This scope drift weakens user and platform expectations, making it easier to repurpose the skill as a general LLM endpoint and increasing the chance of unsafe handling of unrelated prompts, data, or tool flows.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The reference document explicitly includes `mpsAiMediaInfo` as a supported filter and describes MPS intelligent media fields, which conflicts with the manifest's stated non-trigger scope for MPS-related operations. This can cause the agent to invoke the skill for out-of-scope requests, weakening routing boundaries and potentially exposing unintended capabilities or data paths.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The example actively instructs users to query `mpsAiMediaInfo`, operationalizing an MPS capability that the manifest says should not trigger this skill. Concrete examples are especially risky because they make misuse easy and increase the chance that downstream agents will treat the unsupported capability as approved behavior.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The reference documentation explicitly lists `ProcessMediaByMPS` as a supported task type, even though the skill metadata says MPS-related operations should not trigger this VOD skill. That mismatch can cause the agent to route or answer out-of-scope requests, weakening boundary enforcement and potentially leading to incorrect or unauthorized operation guidance.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script persists freshly created AIGC tokens into ~/.env or other detected dotenv files automatically, expanding its behavior from API token management into local secret persistence. This is dangerous because it stores long-lived credentials on disk without explicit opt-in, increasing the chance of accidental disclosure through backups, repository inclusion, shared home directories, or lax file permissions.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script both loads cloud credentials from dotenv files and writes generated AIGC tokens back into local dotenv files, creating bidirectional secret-file access. Even if intended for convenience, this broadens the trust boundary to local files and can expose secrets if those files are world-readable, synced, committed, or shared across projects.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: A task-description script unexpectedly persists AIGC custom-element results to local storage, creating unnecessary retention of potentially sensitive model outputs and identifiers. Because the file is shared across runs, data from different tasks can accumulate and be exposed to other local users, processes, or later commands without clear user consent.

Intent-Code Divergence

Low

Confidence: 77% confidence
Finding: The comment says data is saved under a task-specific path, but the code actually writes to a shared mem/elements.json file. This mismatch can mislead operators about isolation and retention, increasing the risk of unintended data mixing or disclosure across tasks.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script is described as a VOD command helper, but it contains active credential-loading behavior from local dotenv files. That expands the trust boundary by reading secrets from user-local files implicitly, which can surprise users and cause the skill to access credentials beyond what is necessary for simple command generation.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill description repeatedly states that any request involving a very broad set of VOD-, AI-, search-, and image-related actions "must" or "should" invoke this skill. This creates overbroad routing that can capture loosely related user requests, increasing the chance of unintended tool use, incorrect delegation, and exposure of powerful cloud-media operations when a narrower or different skill would be more appropriate.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The document instructs users to send prompts, images, audio, and files/URLs to remote AIGC endpoints but does not provide an explicit privacy or data-disclosure warning. This is risky because users may unknowingly submit sensitive media, transcripts, or proprietary content to third-party processing services, especially in a media platform context where uploaded assets are often confidential or regulated.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document explicitly states that successful create requests are appended to a local mem/elements.json file, including fields such as element_description, reference video/image URLs, session_id, and session_context. Because session_context is described as carrying user request information and the referenced URLs may be private or sensitive, this creates a real risk of unintended local persistence of sensitive user data without any warning, minimization, retention guidance, or access-control recommendations.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document explicitly supports user-supplied remote image URLs and a free-form `--session-context` field for transmitting request context, but it provides no warning about privacy, sensitive data handling, or the risks of sending internal URLs, personal data, or confidential business context to a cloud API. In a VOD/AIGC skill, this increases the chance that operators will unintentionally submit sensitive media references or metadata to external services, creating privacy leakage and compliance risk rather than a code-execution flaw.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation encourages `--url`, `--prompt`, and `--session-context` usage for image understanding but does not warn that the referenced image URL, image content, and accompanying prompt/context may be sent to Tencent Cloud/VOD and potentially third-party model backends for processing. In a cloud AI/media-processing skill, this omission can cause users to unintentionally disclose sensitive internal URLs, personal data, or confidential business context when following the examples.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document explicitly advertises `--verbose` as showing detailed information including URLs, but it does not warn that returned media URLs may be signed, time-limited, or otherwise sensitive operational links. In a VOD administration/search skill, exposing such URLs in logs, chat transcripts, screenshots, or shared terminals can leak direct access paths to private media or internal asset locations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The create flow saves newly issued API tokens to ~/.env or discovered dotenv files automatically, but this side effect is not clearly disclosed in the tool's top-level interface description. Hidden persistence of a non-expiring token is risky because users may believe they are performing a transient management action while the tool is actually creating durable local secret storage.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The script stores user-supplied element metadata, media URLs, and related task context into mem/elements.json automatically after task submission. In this skill context, those values can contain sensitive business data, internal asset URLs, or identifying information, and the interactive flow does not clearly warn users that local persistence will occur.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The script writes task results to disk without an explicit warning or opt-in at the write site, which can surprise users and create quiet local data retention. Even if the content is not secret by design, silent persistence increases the chance of accidental leakage from shared systems or checked-in working directories.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: When environment variables are missing, the script automatically attempts to load credentials from dotenv files and only prints a brief message at runtime. Implicit secret discovery without strong prior consent is risky because users may not expect local files such as ~/.env to be accessed by a helper script.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal