volcengine-video-generate

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Volcengine video-generation helper, with expected cloud upload and local download behavior that users should handle carefully.

Install only if you are comfortable sending prompts and any provided first-frame images to Volcengine/Ark. Do not use confidential images, internal-only URLs, or sensitive prompts unless that third-party processing is acceptable, and choose an output path where creating or overwriting a video file is safe.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill accepts a prompt and optional first-frame image, including local files or URLs, and sends this material to an external video-generation service, but the description does not clearly warn about that transmission. Users could unintentionally expose sensitive local images, confidential prompts, or metadata to a third party, especially because the script also downloads remote content and uploads converted image data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal