Tianshu Wan Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward DashScope video-generation helper, with expected use of a DashScope API key and outbound requests to Alibaba’s API.

Before installing, make sure you are comfortable providing a DashScope API key and sending prompts or image URLs to Alibaba DashScope. Use a dedicated key if possible, monitor quota or costs, and avoid submitting confidential prompts or private image URLs.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares required environment variables but does not declare permissions despite clearly needing both environment access and outbound network access to call DashScope. This creates a transparency and policy-enforcement gap: platforms or users may approve the skill without understanding that it can read secrets and transmit data externally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal