Byted Las Vlm Video

Security checks across malware telemetry and agentic risk

Overview

This video-analysis skill is mostly coherent, but its normal setup can install remote SDK code without hash verification or a clear user opt-in.

Install only if you trust the Volcengine/TOS SDK source and are comfortable with setup modifying a local Python environment from a remote wheel. Use least-privilege credentials, avoid pasting secrets into chat, confirm region and billing before processing, and do not send sensitive videos unless provider-side upload and processing are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill clearly instructs the agent to execute shell commands (`source`, `ffprobe`, `lasutil`, `jq`) but does not declare shell/code-execution capability. Hidden execution capability weakens policy enforcement and user transparency, and can lead to command execution in environments where the skill appears lower-risk than it really is.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The manifest describes a synchronous video-analysis wrapper, but the workflow adds materially different behaviors: environment bootstrapping, SDK auto-update from a remote source, credential loading from local files, local artifact creation, and storage operations. This mismatch is dangerous because reviewers and users may approve the skill for narrow inference use while it actually performs software installation, filesystem access, and credential-handling steps with broader security implications.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The documented workflow uploads local user videos to TOS and may later upload generated outputs, which is a data exfiltration pathway beyond simple in-process analysis. Even if necessary for the service, undocumented third-party transfer of local files increases privacy, compliance, and consent risk, especially for sensitive video content.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The skill asks for additional cloud storage credentials (`VOLCENGINE_ACCESS_KEY` and `VOLCENGINE_SECRET_KEY`) to download outputs, extending its privileges beyond basic video inference. Requesting broader credentials than necessary increases blast radius if the skill is misused, compromised, or logs/secrets are exposed during execution.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The environment initialization script silently fetches a remote manifest and can install or upgrade an SDK from a network location, behavior that is not disclosed by the skill’s stated video-analysis purpose. This creates a supply-chain risk because running initialization can execute code obtained from an external server without integrity verification, making compromise of the remote host, artifact, or network path impactful.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script implements a self-update mechanism that compares versions from a remote manifest and then performs a pip install --upgrade from a remote wheel URL. Self-updating code in a skill bootstrap script is dangerous because it changes the executed codebase outside normal review and can introduce arbitrary code execution through a compromised package source or unintended version drift.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The activation language is very broad and can trigger the skill for many generic video-related requests, increasing the chance of unnecessary invocation of shell commands, uploads, and external API calls. Overbroad routing raises the risk of unintended data handling or surprising behavior on requests that did not clearly require this skill.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script performs network fetches and installs a package from a remote URL with only routine status output, giving the user no meaningful opportunity to review or refuse the operation. In the context of a video-analysis skill, this is especially risky because such remote code installation is not essential to the advertised functionality and expands the attack surface to supply-chain and unexpected egress behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal