Back to skill

Security audit

Volcengine AI MediaKit

Security checks across malware telemetry and agentic risk

Overview

This media-processing skill is mostly coherent, but it can upload, bill for, and publish media through a cloud account without clear confirmation at key points.

Install only if you trust the publisher with Volcengine VOD credentials and are comfortable with media being uploaded, processed, stored, billed, and in some cases automatically published. Use least-privilege credentials and avoid running get_media_info on private or draft assets unless publishing them is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation describes a read-style media info query, but it silently escalates into a state-changing publish operation for unpublished videos. This violates least surprise and can expose media that was intentionally kept unpublished, creating unauthorized distribution and policy/compliance risks.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The method marketed as play/query retrieval can automatically call UpdateMediaPublishStatus and change a media asset from unpublished to published in order to obtain a PlayURL. That is a state-changing side effect that can expose content unexpectedly, which is especially risky in a media-processing skill where users may assume read-only lookup behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly allows arbitrary public HTTPS URLs as media inputs, which means the backend may fetch attacker-controlled remote content. This creates SSRF-like and privacy risks, including unintended external network access, IP disclosure to third parties, and ingestion of untrusted files without any warning or restriction guidance for users.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes sending video/audio to an ASR service but does not warn users that media content may be transmitted to a third-party processor and may contain sensitive personal, biometric, or confidential information. This can lead to unintended privacy exposure, compliance issues, and unsafe use in environments where user consent, data handling notice, or jurisdictional restrictions are required.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill supports voice and facial translation, which can involve processing biometric identifiers, speech content, and potentially sensitive personal data, but the documentation does not warn users about these privacy implications or recommend obtaining consent. In a media-processing workflow, this omission increases the risk of users submitting third-party videos without understanding the sensitivity of the operation or applicable legal/compliance requirements.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The markdown normalizes automatic publishing as part of obtaining an Origin URL and does not warn that this modifies media state. In this skill context, users are likely invoking a lookup/query capability, so hidden publication of unpublished assets can lead to accidental exposure of private or embargoed content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code automatically publishes media when a PlayURL is requested and does so without any user-facing confirmation or warning. In this skill context, that can turn a private or draft asset into a publicly playable one, causing confidentiality and workflow-integrity issues beyond what a user likely intended.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
When the input is a local path, the method uploads the local file to remote storage automatically, but the interface and flow do not provide a visible disclosure/confirmation boundary. In an agent skill, this can cause unintended exfiltration of local media files if a user or calling workflow supplies a path without realizing it triggers network transfer.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends user-supplied media to an external service via client.submit_media(...) without any disclosure, consent check, or visible indication in this file that the media will leave the local environment. Because the skill processes audio/video content that may contain sensitive personal or copyrighted material, undisclosed transmission creates a real privacy and compliance risk even if the behavior is expected for the product's function.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script accepts user-supplied media references, including direct HTTP/HTTPS URLs, and forwards them to a remote processing service without any validation, restriction, or explicit disclosure in code. This can expose internal or sensitive URLs to a third party, enable SSRF-like access through the upstream media service if it fetches arbitrary URLs, and create privacy/compliance risk because uploaded or linked media may be transmitted off-system automatically.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script transmits local files or remote URLs to an external VOD service without any explicit user-facing confirmation, consent gate, or prominent disclosure at the point of action. Even though local path access is partially constrained to workspace/userdata/tmp, the code can still exfiltrate sensitive user media from those locations or trigger third-party fetching of supplied URLs, which is especially relevant in an agent context where users may not realize upload is occurring.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.