Back to skill

Security audit

kameo

Security checks across malware telemetry and agentic risk

Overview

The skill performs its advertised video-generation workflow, but it exposes a live-looking API key and handles credentials and user input in ways that need review before use.

Review before installing. Use your own Kameo and Google keys, rotate or avoid any key copied from the documentation, and do not pass real passwords to register.sh on the command line. Only upload images and dialogue you are comfortable sending to Kameo and, for enhanced generation, Google Gemini. Prefer a secure secret manager over ~/.config/kameo/credentials.json, and avoid untrusted filenames or dialogue text with the current enhancement script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents use of environment variables, shell scripts, and outbound network access, but does not declare permissions or clearly scope those capabilities. In an agent environment, undeclared capabilities reduce transparency and can cause the skill to access secrets or external services without adequate user awareness or policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior extends beyond simple video generation into account registration, login/API-key creation, local credential storage, credit checks, and third-party prompt enhancement. This mismatch prevents informed consent and increases the attack surface by introducing identity, credential, and data-sharing operations users would not reasonably expect from the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Including a registration helper and API-key creation workflow goes beyond media generation and introduces account lifecycle operations that can create or manage user identities and secrets. That broadens the security scope and can lead to unauthorized account actions or accidental creation/storage of credentials in environments not prepared to protect them.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script performs an additional Gemini-based image-analysis and prompt-enhancement workflow that is not obvious from a narrowly described Kameo video-generation skill. This expands the trust boundary and causes user-supplied images and dialogue to be processed by a second model/service, creating unexpected data handling and behavioral surface area.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script reads a Google API credential and calls a separate external AI service, which is broader than the stated Kameo-only purpose and increases exposure of secrets and user data. Even though it only reads a specific environment variable, the undeclared secondary integration is a genuine supply-chain and disclosure risk because users may not expect Google service usage at all.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script performs account signup, password-based login, API key creation, and local credential persistence, which goes beyond the skill's stated media-generation behavior and materially expands its security scope. Even if intended as a convenience helper, this introduces credential-handling and secret-management risks that users may not expect from a video-generation skill.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script provisions a long-lived API key and stores it on disk, creating persistent authentication material that can be reused if the local environment is compromised. This increases the blast radius beyond a one-time session token and is not strictly necessary for the described video-generation capability.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill handles user images and prompts but does not prominently warn that this content is uploaded to an external API and that resulting videos are served from a CDN. Users may unknowingly transmit sensitive biometric or personal content to third parties, creating privacy, compliance, and data-governance risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The documentation contains a full plaintext API key and instructs users to export it or write it to a local credentials file. Exposed secrets in docs are commonly copied into shells, logs, screenshots, repos, and shared files, enabling unauthorized API use and account abuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Passing email and password directly as command-line arguments can expose credentials through shell history, process listings, terminal logging, and monitoring tools. This unnecessarily increases the chance of credential theft, especially on shared systems or recorded environments.

Missing User Warnings

High
Confidence
99% confidence
Finding
The API reference includes an authenticated request example with a full API key in the header, which directly exposes a usable secret. Anyone reading or scraping the documentation can reuse the key for unauthorized requests, consume credits, and access account-scoped operations.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script sends the image contents and embedded dialogue to Google's API without an explicit disclosure or consent step at execution time. This is dangerous because images and speech text may contain sensitive biometric, personal, or confidential information, and users may believe the skill only interacts with Kameo.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends the user password to a remote signup endpoint without any clear user-facing notice about credential handling, storage expectations, or trust boundaries. Although HTTPS is used, undisclosed collection and transmission of passwords is risky because users may not realize the script is directly handling primary credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The login flow directly transmits the supplied password to obtain an access token, again without explicit disclosure or a safer delegated authentication method. Handling passwords in CLI arguments and network requests raises the chance of exposure via shell history, process inspection, or user misunderstanding.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes a reusable API key to a local file without advance warning, creating persistent secret material on disk that users may not expect. Even with restrictive file permissions, plaintext storage can be abused by malware, backup leakage, or accidental disclosure.

External Transmission

Medium
Category
Data Exfiltration
Content
## API Details

**Base URL:** `https://api.kameo.chat/api/public`

### Generate Video
Confidence
90% confidence
Finding
https://api.kameo.chat/

Credential Access

High
Category
Privilege Escalation
Content
# 或保存到配置文件
mkdir -p ~/.config/kameo
cat > ~/.config/kameo/credentials.json << EOF
{
  "api_key": "kam_I3rdx43IymFNbfBw1c0ZbSc7o3aUfQgz8cljZA6T7fs"
}
Confidence
96% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
# Save to config
    mkdir -p ~/.config/kameo
    cat > ~/.config/kameo/credentials.json << EOF
{
  "api_key": "$KAMEO_KEY",
  "email": "$EMAIL"
Confidence
93% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
"email": "$EMAIL"
}
EOF
    chmod 600 ~/.config/kameo/credentials.json
    
    echo "✅ Saved to ~/.config/kameo/credentials.json"
    echo ""
Confidence
92% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
EOF
    chmod 600 ~/.config/kameo/credentials.json
    
    echo "✅ Saved to ~/.config/kameo/credentials.json"
    echo ""
    echo "Export for current session:"
    echo "  export KAMEO_API_KEY='$KAMEO_KEY'"
Confidence
91% confidence
Finding
credentials.json

Session Persistence

Medium
Category
Rogue Agent
Content
export KAMEO_API_KEY="kam_I3rdx43IymFNbfBw1c0ZbSc7o3aUfQgz8cljZA6T7fs"

# 或保存到配置文件
mkdir -p ~/.config/kameo
cat > ~/.config/kameo/credentials.json << EOF
{
  "api_key": "kam_I3rdx43IymFNbfBw1c0ZbSc7o3aUfQgz8cljZA6T7fs"
Confidence
88% confidence
Finding
mkdir -p ~/.config/kameo cat > ~/.config

Session Persistence

Medium
Category
Rogue Agent
Content
echo ""
    
    # Save to config
    mkdir -p ~/.config/kameo
    cat > ~/.config/kameo/credentials.json << EOF
{
  "api_key": "$KAMEO_KEY",
Confidence
94% confidence
Finding
mkdir -p ~/.config/kameo cat > ~/.config/kameo/credentials.json << EOF { "api_key": "$KAMEO_KEY", "email": "$EMAIL" } EOF chmod 600 ~/.config/kameo/credentials.json echo "✅ Saved

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.potential_exfiltration

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:32

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
USAGE.md:9

Shell script base64-encodes a local file and sends it over the network.

Critical
Code
suspicious.potential_exfiltration
Location
scripts/generate_video.sh:57