Back to skill

Security audit

WeryAI Video Toolkits

Security checks across malware telemetry and agentic risk

Overview

This is a real WeryAI video-editing skill, but it packages broader generation and account helpers and can upload local files to WeryAI with limited containment.

Install only if you trust WeryAI and this publisher with the media paths you provide. Use dry-run first, avoid sensitive local files, keep WERYAI_BASE_URL on the official WeryAI host unless you intentionally trust another endpoint, and treat real submit/wait calls as paid external uploads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This file exposes a balance-retrieval capability by directly re-exporting executeBalance, even though the skill metadata only describes video processing and task-status functionality. That creates a scope mismatch: an agent or user invoking this skill could access account or billing information that is unrelated to the advertised purpose, increasing the risk of unauthorized data access and over-privileged behavior.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Account balance retrieval is not justified by the stated purpose of a video editing toolkit, so its inclusion expands the skill's accessible surface beyond what users and orchestrators would reasonably expect. Even if the data exposed is 'only' billing-related, this can leak sensitive account state and enable unintended information disclosure through a mismatched tool selection path.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The code submits to a broad `/v1/generation/almighty-reference-to-video` endpoint even though the skill manifest describes narrower video-editing operations such as background removal/replacement, anime style transfer, and status checks. This expands the capability surface beyond user and platform expectations, enabling arbitrary media generation workflows through a skill that appears scoped to editing existing videos.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
`buildAlmightyBody` accepts free-form prompts plus images, videos, and audios, which supports general multimodal video generation rather than strictly editing an existing video. In this skill context, that mismatch is dangerous because a user or upstream agent may trust the manifest-limited description while the code can perform materially broader content creation tasks, bypassing intended policy, review, or consent boundaries.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This file submits image-to-video generation jobs via /v1/generation/image-to-video, which exceeds the stated skill scope of editing existing videos. Scope mismatch is security-relevant because an agent or user may authorize a seemingly narrow video-editing skill while the code can transmit different media inputs and invoke broader generative capabilities, increasing the chance of undisclosed data handling and unintended actions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements submission of new text-to-video generation jobs via `/v1/generation/text-to-video`, while the skill metadata says the skill is limited to processing and editing existing videos. That mismatch expands the skill's effective capabilities beyond user and platform expectations, enabling generation of novel media rather than bounded editing of supplied content; such scope drift is dangerous because it can bypass review assumptions, policy controls, or consent boundaries tied to the advertised skill purpose.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill implements several powerful video-manipulation operations beyond the manifest's declared scope, including face-change, lips-change, subtitle-erase/translate, watermark-remove, extend, and upscaler. This creates a capability mismatch: downstream systems or users may trust the published description and approve or invoke the skill under false assumptions, enabling undisclosed editing functions that can be abused for impersonation, deceptive media editing, or removal of attribution/watermarks.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code resolves local upload sources and sends them to remote endpoints without any explicit disclosure or consent gate in this execution path. In an agent setting, silent exfiltration of local files or user-provided media to third-party services is dangerous because users may believe processing is local or limited to previously described operations.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This code resolves local upload sources and submits them to a remote WeryAI API, which creates an exfiltration path for local files referenced in input. In a skill environment, that is security-relevant unless there is explicit user consent, strict path controls, and clear disclosure that local files will be transmitted off-host; this file only hints at uploads in dry-run notes and otherwise performs the upload automatically.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The function resolves local media sources into public URLs, which likely entails uploading local files to a remote or publicly accessible location. In a video-processing skill, this behavior is functionally expected, but it is still security-relevant because a caller may unintentionally expose sensitive local media over the network if there is no explicit consent, allowlist, or visibility control around what can be uploaded.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This code resolves local upload sources and then submits them to a remote API without any user-facing confirmation or disclosure at the point of transfer. In an agent setting, that can cause unintended exfiltration of local files or media-derived sensitive data if upstream prompts or inputs reference local paths, especially because the dry-run note explicitly indicates real runs will upload files automatically.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/vendor/weryai-core/upload.js:147

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/video_toolkits.js:19