Back to skill

Security audit

Byted Mediakit Shared

Security checks across malware telemetry and agentic risk

Overview

This skill is a documentation-style MediaKit CLI helper whose cloud upload, API key, and local configuration behavior are disclosed and aligned with media processing.

Before installing, confirm you trust the external mediakit-cli package and understand that cloud mode can upload local media files to the service. Use local mode for sensitive media when possible, and review where the CLI stores API keys and outputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states that in cloud mode, local file paths are automatically uploaded and converted to remote `mediakit://...` file IDs, but it does not prominently warn users or calling agents that supplying a local path will transmit local media to a remote service. This creates a real risk of unintended data exfiltration, especially for agents that may assume a local path stays local unless clearly told otherwise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.