Back to skill

Security audit

Byted Byteplus Vod Precision Erasure

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed BytePlus VOD upload and precision-erasure integration with no evidence of hidden persistence, exfiltration, or unrelated behavior.

Install only if you intend to let the skill use your BytePlus VOD credentials to upload media, submit erasure jobs, and generate playback/download URLs. Review VOD_HOST and VOD_PLAY_DOMAIN before use, and keep local uploads limited to media files you deliberately provide.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation declares required environment variables, local file inputs, and outbound API/network operations, but there is no explicit permissions declaration to scope or warn about those capabilities. This can lead to over-broad execution in an agent platform, where a caller may not realize the skill can read local files, access secrets from the environment, and send data to external BytePlus/VOD endpoints.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The playback helper calls UpdateMediaPublishStatus with Published before fetching play info, which changes the remote asset's visibility/state rather than only retrieving metadata. In this skill context, that exceeds the described upload/playback-reference/erasure scope and can unintentionally expose media to playback when a caller only expected a reference lookup.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Media is automatically published as a side effect of requesting a playable URL, with no explicit user-facing acknowledgement. In a media-processing skill, this can surprise operators and lead to accidental exposure of newly uploaded or sensitive content through generated playback links.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.