video

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-aligned video-generation helper, but users should understand that prompts/images go to a third-party API and generated videos are saved locally.

Install only if you are comfortable sending video prompts and any input images to SkillBoss API Hub. Avoid using sensitive, private, or confidential media, and choose output paths carefully so generated files do not overwrite important local files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Tainted flow: 'video_resp' from requests.get (line 127, network input) → pathlib.Path.write_bytes (file write)

Medium

Category: Data Flow
Content: print(f"Downloading video from {video_url}...") video_resp = requests.get(video_url, timeout=120) video_resp.raise_for_status() output_path.write_bytes(video_resp.content) # Verify and report if output_path.exists():
Confidence: 92% confidence
Finding: output_path.write_bytes(video_resp.content)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs users to submit prompts and optionally input images to a remote video-generation service, but it does not warn that this content will be transmitted to an external third party. Users may provide sensitive text or images under the assumption processing is local, creating a confidentiality and privacy risk in agent-driven environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal