Security audit

Seedance + Waoo 短视频流水线

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate short-video automation skill, but it needs review because it sends user content to configured third-party services and can persist API-key-bearing config copies in output folders.

Install only if you are comfortable with project text, scripts, images, audio, and generated media being sent to the providers you configure under your API keys. Use low-privilege, rotatable keys; keep config files out of version control; review output directories for copied config files containing secrets; and require explicit confirmation before paid or quota-consuming generation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill explicitly references environment-backed configuration and networked execution against external vendors (API Key, 接口地址, submit/poll/download flows), yet no permissions declaration is present. That creates a trust and review gap: operators and users are not clearly informed that the skill can read sensitive configuration and transmit user content/media off-platform.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 82% confidence
Finding: The documented behavior overstates implemented capabilities and understates some actual processing steps. Security-relevant mismatches like claiming vendor routing/ASR behavior that is not actually implemented can cause users or orchestrators to make unsafe assumptions about where data goes, what validations occurred, and whether outputs are authoritative.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The auto-trigger rules are broad enough to activate on generic creative requests, causing this skill to engage networked media-generation workflows when a user may only want brainstorming or lightweight assistance. In a skill that can route text/media to third-party services and create/download files, over-triggering increases the chance of unintended data disclosure, unwanted charges, and surprising side effects.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill description does not clearly warn that user text, scripts, images, audio, and generated artifacts may be sent to external video/TTS/ASR providers and downloaded back into the environment. For a media-production pipeline, that omission is significant because inputs may contain copyrighted, sensitive, or personal content, and users may not realize third parties are involved.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guidance explicitly tells the operator to collect API keys, tokens, app IDs, and similar credentials, but it does not warn against exposing them in chat, logs, screenshots, or shared config files. In an agent skill context, asking for secrets without safe-handling guidance increases the risk of accidental credential disclosure and downstream account misuse, even if the collection is operationally necessary.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The auto-trigger conditions are broad enough to match ordinary creative requests such as a topic, a sentence, or a script, which can cause the pipeline to launch multi-step generation without sufficiently explicit user intent. In an agent setting, this increases the risk of over-collection of inputs, unintended downstream actions, surprise costs, and workflow escalation from casual prompts into production operations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The helper downloads arbitrary URLs with fetch() and writes the response directly to a caller-controlled path, while Vidu and Seedance accept fileId values of the form url:... and MiniMax trusts a returned download_url. In an agent skill context, this creates an SSRF-style primitive and untrusted network fetch capability that could access internal resources, local metadata endpoints, or attacker-controlled large files without any allowlisting, protocol checks, host validation, size limits, or content validation.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script sends the full generated prompt, which includes storyboard/script content and user revision notes, plus a bearer API key to a configurable external endpoint. In this video-generation skill context, that can expose potentially sensitive project content to third-party services without any explicit consent, trust-boundary validation, or endpoint allowlisting in the script, making data exfiltration and accidental secret disclosure more plausible.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal