Byted Airesearch Videoeval

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed video-generation workflow that uses an ARK API key and Volcengine API as expected, with no evidence of hidden or destructive behavior.

Before installing, confirm you are comfortable providing an ARK_API_KEY and sending selected prompts, images, videos, or audio to Volcengine for generation. Watch for API cost, and prefer explicit confirmation before running generation jobs.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documentation describes use of environment-sourced secrets, network access to external APIs, and script execution flows, but the skill does not declare corresponding permissions. This creates a least-privilege and transparency gap: the runtime may still access sensitive capabilities without explicit user/admin review, increasing the chance of unexpected secret use or outbound data transfer.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal