Back to skill

Security audit

Remotion Video Generator

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill mostly does what it says, but it needs review because it can publicly expose a local dev server and its scraping helper can run unsafe input as code.

Review before installing. Use it only with public, non-sensitive brand URLs; do not pass internal, private, or unusual URLs to the scraping helper. Avoid the public Cloudflare tunnel unless you explicitly want anyone with the link to reach the Remotion Studio, and stop both the tunnel and dev server when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The documentation broadens the skill from Remotion-based video generation into a web-scraping and asset acquisition workflow. Scope expansion itself is not malicious, but it increases the attack surface and may cause the agent to access third-party resources or collect data outside what a user would reasonably infer from the skill name and description.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill instructs the agent to expose a local development server through a public Cloudflare tunnel even though that behavior is not disclosed in the manifest description. Publicly exposing localhost services can unintentionally leak unpublished content, internal tooling state, or other accessible endpoints to anyone with the URL.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Full tunnel lifecycle management is substantially broader than what is required for generating motion-graphics videos. A publicly exposed tunnel creates a new ingress path into a local development environment and can enable unintended disclosure or interaction with local services.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Making website scraping and third-party screenshot acquisition mandatory extends the skill beyond video creation into external content collection. This can create privacy, compliance, and consent issues, especially when targeting arbitrary company websites and storing downloaded assets locally.

Missing User Warnings

High
Confidence
98% confidence
Finding
The workflow tells the agent to expose the local Remotion studio through a public tunnel and send the URL to the user without any warning that the service becomes externally reachable. In this context, that is dangerous because local development servers often lack authentication and may expose unpublished content or additional endpoints.

Missing User Warnings

High
Confidence
97% confidence
Finding
The quick-start section normalizes public exposure of a local service without explaining the privacy and access consequences. Users may assume the preview is private when in fact anyone with the URL may reach the development server.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill makes brand-data scraping mandatory but does not clearly warn that third-party website content and assets will be fetched and processed. This matters because users may not realize the workflow initiates network collection against external sites and stores the results locally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manual extraction example uses a stealth fetcher to emulate browser-like scraping of external sites without warning the user. The use of stealth tooling increases sensitivity because it suggests bypassing normal detection or anti-bot expectations on third-party websites.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The asset download commands pull remote files directly into the local project without any disclosure about network access, file writes, or validation of the downloaded content. This can expose the environment to untrusted files and create provenance or supply-chain concerns.

Missing User Warnings

High
Confidence
98% confidence
Finding
The implementation steps require exposing the app through a tunnel and sharing the public URL, again without a warning about public accessibility. Repetition in the core workflow makes unsafe exposure the expected default behavior rather than an informed exception.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tunnel management section documents commands for starting, listing, and stopping public tunnels but omits any discussion of the security implications. This encourages routine use of externally reachable tunnels from a local environment without appropriate caution or safeguards.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script performs a remote fetch of a user-supplied URL using a stealth browser without any explicit disclosure or validation. This can cause unintended transmission of sensitive or internal URLs to external infrastructure and may enable SSRF-like access patterns or privacy leaks if the caller supplies non-public targets.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script constructs a screenshot URL for image.thum.io containing the user-supplied target URL, which sends that target to a third-party service without notice or consent. If users provide private, internal, or sensitive URLs, this creates an immediate confidentiality leak to an external party and expands exposure beyond the local workflow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.