Back to skill

Security audit

Byted Mediakit Editing

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent MediaKit CLI wrapper for audio and video editing, but users should understand that cloud mode can upload or submit media and metadata to a remote service.

Install this only if you are comfortable using the external MediaKit CLI and providing its API credentials. Prefer local mode for sensitive media when supported, and avoid sending private videos, audio, images, signed URLs, internal URLs, secrets, or personal data through cloud mode unless you understand the provider's handling and retention terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation description is broad and trigger-based wording is vague ('当用户需要使用 editing 域的 MediaKit CLI 能力时触发'), which can cause the agent to invoke this shell-permissioned skill in situations that are only loosely related to media editing. Over-broad activation increases the attack surface for prompt-driven misuse, especially because the skill can lead to shell execution through a CLI wrapper.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to supply remote video and image URLs but does not warn that these assets will be fetched and processed by local or cloud tooling. This can lead users to unintentionally transmit sensitive media or trigger external network access without informed consent, which is a real privacy and data-handling risk in a shell-capable skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly supports remote URLs and cloud execution for video and subtitle inputs, but it does not warn users that media content may be transmitted to external services for processing. In a media-editing skill, uploaded videos and subtitle files can contain sensitive personal, proprietary, or copyrighted data, so omission of privacy and data-transfer disclosure creates a real security/privacy risk.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill instructs users to supply an `audio_url` and supports cloud processing, but it does not warn that the referenced media may be transmitted to a remote service or otherwise exposed during processing. This can lead users to submit sensitive or private audio without informed consent, creating a privacy and data-handling risk even though it is not direct code execution or command injection.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly supports cloud execution and remote video URLs, but it does not warn that user media may be transmitted to external services for processing. This can cause users to unknowingly upload sensitive audio/video content or metadata, creating privacy, confidentiality, and compliance risks, especially in enterprise or regulated environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly states the tool is 'cloud only' and requires a remote video URL, but it does not warn users that video content will be transmitted to an external service for processing. For media files, this can expose sensitive or proprietary content, creating privacy, confidentiality, and compliance risk if users assume processing is local.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to provide remote audio URLs and optional callback data, and it explicitly supports cloud execution, but it does not warn that media URLs and callback metadata may be transmitted to external services or logged by backend systems. In a shell-permitted media editing skill, this omission can cause users to submit sensitive media locations or identifying callback content without understanding the privacy and network exposure implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation allows remote `http://`/`https://` video URLs as input but does not warn users that those URLs will be fetched and processed by the service. This can lead to unintended disclosure of sensitive URLs, server-side retrieval of internal or private resources, or privacy/compliance issues if users assume processing is purely local.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to provide a video URL and notes support for both local and cloud modes, but it does not clearly warn that media may be transmitted to remote processing services depending on execution mode. For audio/video content, this can expose sensitive or copyrighted material and create privacy/compliance risk if users assume processing is purely local.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation states this capability is cloud-only and accepts externally hosted image URLs, but it does not clearly warn users that the referenced media and related metadata will be transmitted to a remote service for processing. This can cause unintended disclosure of sensitive or internal-only image content, especially if users assume the tool behaves like a local editing command.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly supports cloud mode and demonstrates use of remote audio URLs, but it does not warn users that audio content and related metadata may be transmitted to an external service for processing. This can lead to unintended disclosure of sensitive or copyrighted audio, especially because users may assume local-capable tooling is privacy-preserving unless cloud transfer is called out clearly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly states that in cloud mode local file paths are uploaded by the CLI before submission, but it does not require any user-facing consent, warning, or privacy notice. In a media-editing skill, uploaded files may contain sensitive audio/video content or metadata, so silent transmission to a remote service can cause unintended disclosure even if the behavior is intended.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.