Local Video Understanding

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only video analysis skill whose local tools fit its purpose, with a privacy note because it optionally mentions cloud LLM summarization.

Use this skill only on videos you are comfortable processing with local tools that create temporary audio and frame files. Avoid the optional cloud LLM summary step for confidential, regulated, or private videos unless you explicitly choose the provider and understand what transcript or frame-derived content may be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill is described as a local video-understanding workflow, but it explicitly allows summary or analysis to be sent to a cloud LLM API. That creates a data-boundary mismatch: users or calling agents may assume extracted transcripts and visual descriptions remain local when sensitive video-derived content could instead be transmitted off-device.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Mentioning cloud LLM API usage without a user-facing disclosure obscures that derived data from the video, such as transcripts, frame descriptions, or summaries, may leave the local environment. In a skill marketed around local processing, this omission can lead to unintentional transmission of sensitive or regulated content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal