Byted Las Video Resize

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Volcengine video-resize skill, but it needs review because setup can install remote executable SDK code and one bundled helper is for unrelated transcription output.

Install only after reviewing or disabling the automatic SDK install/update step. Use scoped, temporary LAS and TOS credentials, choose unique output filenames or prefixes to avoid overwrites, avoid sensitive videos unless cloud processing is permitted, and ignore or remove the ASR/transcript result helper unless it is corrected for video-resize output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill instructs the agent to execute shell commands (`source`, `lasutil`, `jq`) but does not declare any permissions for shell access. This creates a trust and policy gap: a host may allow the skill to perform command execution that users or reviewers did not explicitly authorize, increasing the risk of unintended command execution and secret exposure through the shell environment.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The skill description says it resizes videos, but the documented behavior also includes fetching a remote SDK manifest and auto-upgrading/installing code from a remote wheel URL via `scripts/env_init.sh`. Remote self-update behavior materially expands the trust boundary because code executed at runtime can change independently of the reviewed skill content, enabling supply-chain compromise or unexpected capabilities.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The init script performs network access and package-management actions during environment setup, which goes beyond simple local video-resize functionality and expands the trust boundary to remote infrastructure. If the remote endpoint, manifest, or package source is compromised, running this script could install attacker-controlled code into the user's environment.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script contains self-updating behavior that unconditionally upgrades a wheel from a remote URL when versions differ. This is dangerous because it enables code changes at runtime without review, and any compromise of the hosting location or release process can lead to arbitrary code execution in the activated Python environment.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script generates user-facing output for ASR/transcription results (`ASR 识别结果`, `transcript.txt`, language/duration stats) even though the skill is घोषित as a video-resize/transcoding skill. This semantic mismatch can mislead downstream agents or users into handling the wrong artifacts, causing incorrect workflow execution, data exposure of unrelated transcripts, or invocation of the wrong backend behavior in an automation chain.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The script header and usage text explicitly document behavior for generating ASR recognition results, which contradicts the skill manifest for video resizing. In an agent ecosystem, this kind of capability confusion is dangerous because the wrong tool may be selected or trusted for sensitive media-processing tasks, increasing the chance of unintended data handling and misleading users about what processing actually occurred.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The API documentation explicitly states that `output_file_name` will overwrite an existing file with the same name, but it does not prominently warn users about the destructive consequence or recommend safeguards. In a batch-oriented video processing skill that writes to shared object storage paths, this can lead to accidental data loss or corruption of previously generated assets if users reuse names or prefixes.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script silently fetches a remote manifest during initialization without clearly notifying the user that external network communication will occur. This weakens transparency and can expose metadata or create an unexpected dependency on remote-controlled configuration that influences later install/update behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal