Back to skill

Security audit

Video Transcriber

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but its example download commands weaken connection security and should be used carefully.

Install only if you are comfortable with the required local tools and the referenced watcher extension. Prefer removing --no-check-certificate, use it only on trusted Bilibili or YouTube links, and run it in a workspace where temporary audio files are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The workflow performs external network requests, downloads remote media, and creates local files without any user-facing warning or consent boundary. In an agent environment, this can lead to unexpected data transfer, storage consumption, and execution of network-enabled tooling against attacker-controlled URLs, increasing the risk of SSRF-like access patterns or unsafe processing of untrusted content.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
```bash
# 1. 获取视频时长
yt-dlp --dump-json --no-check-certificate "URL" | jq -r '.duration, .title'

# 2. 下载音频
yt-dlp -f bestaudio --no-check-certificate "URL" -o audio.m4a
Confidence
98% confidence
Finding
--no-check

Tool Parameter Abuse

High
Category
Tool Misuse
Content
yt-dlp --dump-json --no-check-certificate "URL" | jq -r '.duration, .title'

# 2. 下载音频
yt-dlp -f bestaudio --no-check-certificate "URL" -o audio.m4a

# 3. 转码
ffmpeg -i audio.m4a -ar 16000 -ac 1 audio.wav
Confidence
98% confidence
Finding
--no-check

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.