wan-video-gen

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward Wan video-generation helper that uses a DashScope API key to submit jobs and save generated videos locally.

Before installing, understand that using this skill can spend DashScope credits and will save generated videos locally by default. Prefer setting DASHSCOPE_API_KEY as an environment variable; if you use config.json, keep it out of source control and restrict access to the file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The setup instructions tell users to place an API key in a local `config.json` but do not warn against committing that file, broadening filesystem access, or leaking it through logs and support bundles. This increases the chance of credential exposure through source control, backups, or other local tooling, which could allow unauthorized use of the DashScope account.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The documentation states that successful runs automatically download generated MP4 files into a local `outputs/` directory, but it does not clearly warn the caller that the skill will modify the local filesystem. In an agent context, implicit file writes can surprise users, consume disk space, or create privacy/operational issues if generated media is stored without explicit consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal