unisk_video_notification

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward video-notification API wrapper, but users should configure it carefully because it sends phone numbers and server file paths to a configured service.

Install only if you control or trust the video-notification backend. Use an HTTPS API_BASE_URL, keep API_KEY secret, avoid temporary public tunnels for production, and confirm the recipient numbers and video file path before allowing the skill to send notifications.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The phrase '或类似关键词' makes skill activation boundaries ambiguous, which can cause the agent to invoke an external action on loosely related user text. Because this skill sends phone numbers and server-side file paths to a remote endpoint, overly broad triggering increases the risk of unintended data disclosure or unauthorized notification sending.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill transmits sensitive data, including recipient phone numbers and absolute server file paths, to an external service but does not clearly warn users about this data flow or retention implications. In this context, file paths can reveal internal server structure and phone numbers are personal data, so lack of transparency and transport/privacy guidance meaningfully increases privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal