WeryAI video tool — lips change

Security checks across malware telemetry and agentic risk

Overview

This is a narrow WeryAI lip-sync helper that sends user-provided public media URLs to WeryAI as disclosed.

Install only if you trust the publisher and are comfortable sending the exact video and audio URLs to WeryAI for processing. Use dry-run first, avoid signed or credential-bearing URLs when possible, and set WERYAI_API_KEY only in a trusted runtime.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This skill submits user-supplied video and audio URLs to a third-party service, which creates a real data disclosure boundary. Even if only URLs are sent, those URLs may embed sensitive tokens, point to private-but-reachable assets, or reveal user content and infrastructure details, and the script does not present any explicit warning or consent mechanism before transmission.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal