video-generation

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill is mostly coherent, but it needs review because its helper sends the API key to a different API domain than the documentation names and uses an unsafe shell-based auto-open path on macOS.

Install only if you trust the publisher and can verify which API domain should receive SKILLBOSS_API_KEY. Use a limited or revocable API key, avoid confidential prompts/images/videos, treat Feishu sending as external file sharing, and avoid using --download on macOS with untrusted or metacharacter-containing paths until the shell-based opener is replaced.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: # Open on macOS if sys.platform == "darwin": os.system(f'open "{filepath}"') except Exception as e: print(f"Download failed: {e}", file=sys.stderr)
Confidence: 96% confidence
Finding: os.system(f'open "{filepath}"')

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill uses sensitive capabilities (environment variables, shell commands, and network access) but does not declare permissions, which weakens review and consent controls. In this context the skill sends prompts, local images, and an API credential to a remote service, so undeclared capabilities materially increase the risk of unexpected data access and transmission.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The documented behavior exceeds and diverges from the stated purpose: it downloads files locally, opens them automatically, reads local images for upload, and references task-management/model-selection features that are not actually implemented. This mismatch undermines informed user consent and can cause users to trigger local file access or outbound transfers they did not expect.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The Feishu/OpenClaw section introduces an unrelated sharing capability outside the core video-generation purpose. Extra distribution paths increase the chance that generated or uploaded media is forwarded to third-party systems without clear scoping, review, or user expectation.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The documentation materially expands the skill's effective behavior from video generation/task management into outbound file transmission via a separate Feishu messaging path. This can mislead users and agents into treating the skill as safe for local media creation while it also facilitates exfiltration of generated or locally stored files to an external service, increasing data handling and permission risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The examples instruct users to send prompts and potentially sensitive local images to a remote API, but they do not include a clear privacy warning or consent language. In a file-generation skill, that omission is meaningful because users may assume local processing when the examples actually upload content off-device.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The skill asks users to export an API key in their shell environment but provides no caution about secret handling, shell history, shared terminals, or least-privilege token use. While common, this still increases the chance of accidental credential exposure or reuse in unsafe contexts.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The instructions describe uploading a local video to Feishu/CDN and sending it to a chat, but do not prominently warn that the file leaves the local environment and is stored by a third party. In an agent setting, this omission can cause users or downstream systems to transmit sensitive media or metadata without informed consent, especially because the workflow reads arbitrary local files by path and uploads them externally.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: Prompts and local images are transmitted to a third-party API service, but the interface does not clearly warn users that local content will leave the host. In a skill that accepts arbitrary local image paths, this can expose sensitive files or confidential prompt data if users misunderstand the privacy boundary.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: Downloaded videos are written to disk and automatically opened on macOS without a prominent upfront warning. This creates a privacy and safety issue because generated content is persisted locally and then handed off to the OS/default application unexpectedly, which may leak sensitive content to shoulder-surfing, indexing, or application-level processing.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal