Back to skill

Security audit

Byted Las Video Inpaint

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Volcengine LAS video-inpainting skill, but users should treat the cloud credentials, video uploads, and runtime SDK install as meaningful trust decisions.

Install only if you trust Volcengine LAS and are comfortable sending selected videos and presigned links to that cloud service. Use dedicated least-privileged LAS and TOS credentials, keep env.sh or .env out of version control, verify the region and output TOS path, and run first setup in an isolated workspace because it may download and install the LAS SDK.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes shell commands (`lasutil`, `source`, variable expansion) but does not declare the shell/code-execution capability. This weakens least-privilege controls and can cause the agent to run local commands without an explicit permission boundary, increasing the blast radius if the skill or its dependencies are modified or abused.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill asks for broad `VOLCENGINE_ACCESS_KEY` and `VOLCENGINE_SECRET_KEY` to download outputs from TOS, even though its primary function is video inpainting. Requesting account-level cloud credentials expands access well beyond the minimum needed and creates risk of credential exposure, misuse, or unintended access to unrelated buckets and cloud resources.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to `source` and run a local environment initialization shell script before performing its task. That introduces arbitrary local code execution through a script outside the visible skill content, which can perform unrelated actions, modify the environment, or exfiltrate secrets if tampered with.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The init script reaches out to a remote manifest and uses that information to decide whether to modify the local environment by upgrading the SDK. That creates a supply-chain and integrity risk unrelated to the core video inpainting behavior: if the remote endpoint, transport assumptions, or hosted artifact are compromised, running initialization can silently introduce attacker-controlled code into the skill environment.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script performs an unconditional remote pip installation when the local version differs from the manifest, effectively executing code obtained from the network during setup. For a video inpainting skill, this is an unnecessary privileged capability that expands the attack surface to package hosting, manifest tampering, and dependency compromise, potentially leading to arbitrary code execution in the user's environment.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script generates markdown for ASR/transcription output, including transcript previews, audio duration, language, and utterance files, even though the skill is advertised as a video inpainting/removal tool. This mismatch can expose unexpected transcription data and indicates the skill may process or surface different media data than users intended, which is especially risky because the stated use case includes removing watermarks and subtitles from videos rather than extracting speech content.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill instructs users to create `env.sh` containing `export LAS_API_KEY="..."` and discusses obtaining/using additional credentials, but it does not provide adequate warnings about secret storage, file permissions, chat exposure, or least-privilege handling. This increases the likelihood that sensitive API keys are stored insecurely, committed accidentally, or revealed through logs and shared directories.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script fetches remote content and may install a package with only a generic update message, so users are not meaningfully informed that setup includes network access and environment mutation. This weakens informed consent and makes stealthy supply-chain abuse or unexpected system changes more likely to go unnoticed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.