Back to skill

Security audit

Cutrix Video Translate

Security checks across malware telemetry and agentic risk

Overview

This skill is a documented Cutrix video-translation SDK helper with expected cloud upload and API-key use, not hidden or destructive behavior.

Install only if you are comfortable sending selected videos, audio, subtitles, and related task metadata to Cutrix for cloud processing. Use the CUTRIX_API_KEY environment variable rather than hard-coding keys, avoid command-line tokens where possible, and do not process confidential or regulated media without approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The README identifies the skill as a 'Cutrix Python SDK' / 'cutrix-python-sdk' publishing artifact, while the manifest describes an end-user video translation and voice-cloning skill. This identity mismatch can mislead users and automated systems about what is being installed, increasing the risk of incorrect trust decisions, accidental execution in the wrong context, or supply-chain style confusion.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The statement that the skill 'only documents how to install and call' a package conflicts with the marketplace description advertising direct video translation, dubbing, subtitles, and voice cloning. Such misrepresentation can cause users or agents to invoke the skill under false assumptions, reducing informed consent and making it easier to conceal the real behavior or limitations of the package.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README tells users to pass an API token directly on the command line, which can expose the secret via shell history, CI logs, terminal recording, or process inspection on multi-user systems. In a skill ecosystem, users may copy-paste commands verbatim, so insecure token-handling guidance materially increases credential leakage risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages users to pass local video paths to an SDK that performs cloud upload and remote processing, but it does not present a clear upfront privacy warning before users act. This can cause accidental disclosure of sensitive video/audio content, subtitles, or biometric voice data to a third-party service, especially in enterprise or regulated environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.