xeon-smartupscale_v2

Security checks across malware telemetry and agentic risk

Overview

This video upscaling skill appears purpose-aligned, but its installer runs network-fetched code and installs an unverified ffmpeg binary, which deserves manual review before use.

Install only if you are comfortable with the installer fetching and executing external code during setup. Prefer using a system-provided pip and ffmpeg/ffprobe already installed on the machine, or ask the publisher for pinned versions with checksum or signature verification before installing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

External Transmission

Medium

Category: Data Exfiltration
Content: else echo "Downloading static ffmpeg..." tmp="$(mktemp -d)" curl -sSL https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz -o "$tmp/ff.tar.xz" tar -xf "$tmp/ff.tar.xz" -C "$tmp/" cp "$tmp"/ffmpeg-*-amd64-static/ffmpeg "$DIR/bin/ffmpeg" cp "$tmp"/ffmpeg-*-amd64-static/ffprobe "$DIR/bin/ffprobe"
Confidence: 92% confidence
Finding: curl -sSL https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz -o "$tmp/ff.tar.xz" tar -xf "$tmp/ff.tar.xz" -C "$tmp/" cp "$tmp"/ffmpeg-*-amd64-static/ffmpeg "$DIR/bin/

External Script Fetching

Low

Category: Supply Chain
Content: if ! python -m pip --version &>/dev/null; then echo "Bootstrapping pip..." curl -sSL https://bootstrap.pypa.io/get-pip.py | python fi python -m pip install --upgrade pip >/dev/null
Confidence: 98% confidence
Finding: curl -sSL https://bootstrap.pypa.io/get-pip.py | python

Chaining Abuse

High

Category: Tool Misuse
Content: if ! python -m pip --version &>/dev/null; then echo "Bootstrapping pip..." curl -sSL https://bootstrap.pypa.io/get-pip.py | python fi python -m pip install --upgrade pip >/dev/null
Confidence: 99% confidence
Finding: | python

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal