Back to skill

Security audit

Byted Mediakit Voiceover Editing

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its video-editing purpose, but it needs review because it can expose local files through its review server and silently change cloud media publication state.

Review before installing. Use least-privilege VOD and ASR credentials, use an isolated test media space, and assume cloud/apig mode can upload media and produce real playback URLs. Do not run the review server on a non-localhost host, stop it when finished, and avoid browsing untrusted pages while it is running. Expect local mode to download/install dependencies and model assets unless already provisioned.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill can change remote asset publish status, which is a state-changing media exposure action not obviously required for local editing. In a talking-head editing context, this is more dangerous because a user may expect processing only, but the helper can make assets playable/publicly accessible through backend publication.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The 'local' ASR path uses torch.hub.load against a remote repository, which can implicitly fetch and execute repository-provided Python code and model assets at runtime. In a skill presented as local/offline processing, this creates a supply-chain and disclosure problem: unreviewed remote code may run unexpectedly, and user audio may be processed in an environment that is not truly self-contained.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The code downloads pretrained ASR and forced-alignment models from remote model hubs during execution, despite the feature being described as 'local' transcription. This is dangerous because it introduces supply-chain exposure, unexpected network egress, and nondeterministic behavior if upstream artifacts change or are compromised.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
In local mode, the script automatically invokes pip to install packages at runtime, expanding the skill's effective capabilities beyond media processing into software installation and code retrieval from package indexes. In a skill with file/network permissions, this increases supply-chain and environment-tampering risk, especially if dependency versions are unpinned or a package source is compromised.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The /local-media endpoint serves any absolute path supplied by the requester, with no restriction to the task output directory or approved media roots. That allows anyone who can reach the review server to read arbitrary local files, including sensitive data such as SSH keys, environment files, cloud credentials, or other user documents, which is well beyond the stated talking-head review purpose.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes broad everyday phrases such as '剪视频', '处理音频', and '自动剪辑', which can cause the skill to activate in contexts beyond its intended talking-head editing scope. Because this skill has network, file_read, and file_write permissions, accidental invocation can expose user files or cause unintended media processing actions, increasing operational and privacy risk.

Vague Triggers

High
Confidence
97% confidence
Finding
The skill description mandates invocation for very broad terms like 'video editing', 'processing audio', and even 'or similar', which can cause the agent to activate this skill in contexts unrelated to the user's actual intent. Because the skill has network and file read/write permissions, overbroad routing increases the chance of unnecessary access to local files or external services.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger list contains generic phrases such as '剪视频', '处理音频', '自动剪辑', and '视频剪辑' that are broad enough to match many unrelated media tasks. In this skill's context, broad triggers are risky because they can cause automatic selection of a privileged workflow that reads/writes files and may send media to network services.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The document explicitly instructs running `./scripts/setup.sh`, and nearby text says the script may create a `.env` scaffold and install dependencies. Because this causes local filesystem changes without a clear upfront warning or consent step, it creates a transparency and safety issue for an agentic workflow, even though the behavior described is ordinary setup rather than overtly malicious.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The step explicitly states that if the user does not reply within 20 seconds, the workflow will proceed using default filler-word and hesitation-word settings before ASR/editing. In a talking-head editing skill, this can cause unintended deletion or mislabeling of speech content without informed consent, especially when defaults do not match the speaker’s language habits or editorial intent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document explicitly instructs generation of export_request.json and review_import_data.json containing real URLs, but provides no privacy, access-control, or data-handling guidance. Real media URLs can expose internal storage locations, signed links, tenant identifiers, or directly accessible media assets, increasing the risk of unintended disclosure through logs, file sharing, or downstream review tools.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code modifies media publish status with no user-facing disclosure, confirmation, or indication that a privacy/access-control relevant state change is happening. In this skill context, that is risky because editing helpers should not silently alter distribution settings for user media.

Missing User Warnings

High
Confidence
98% confidence
Finding
A read-like helper, get_play_video_info, silently performs UpdateMediaPublishStatus when media is not already published. That is especially dangerous because callers seeking metadata or a playback URL may unknowingly trigger remote publication of private assets, violating least surprise and potentially exposing content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists full ASR response data to disk under the output directory without any access control, minimization, retention limit, or user-facing notice in this file. ASR results can contain sensitive speech transcripts, speaker attributes, and metadata, so writing them to disk increases privacy and data exposure risk if other tools, users, or later steps can read the output directory.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code silently persists EXECUTION_MODE into the repository-level .env file, potentially changing future runs without an immediate, explicit consent prompt at the mutation point. In an agent/automation context with file_write permission, this creates a stateful configuration change that can surprise operators, alter trust boundaries, and indirectly route later processing toward networked modes.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
torch.hub.load can retrieve code and weights from a remote source without any visible warning in this skill, so operators may believe processing is fully local while the code performs network access and executes externally sourced components. In a media-processing skill with file and network permissions, hidden remote fetches increase trust and privacy risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs pip installation automatically and without explicit warning or confirmation, which can surprise operators and cause unreviewed code execution from external package repositories. In the context of an agent skill that may be triggered for ordinary editing tasks, this is risky because a routine media action can mutate the runtime environment and fetch additional code over the network.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.