volcengine-video

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses VolcEngine API keys to send video prompts or task IDs to VolcEngine, with some credential-handling and privacy cautions for users.

Install only if you intend to use VolcEngine for video generation. Store real keys outside shared repositories when possible, keep config.json private, rotate keys if exposed, and avoid sending sensitive, personal, regulated, or confidential prompt content to the third-party API.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs users to place long-lived access_key and secret_key values in a local JSON file at a fixed path, but provides no warning about protecting the file, excluding it from version control, or using a safer secret store. This can lead to accidental credential disclosure through commits, backups, shared workspaces, or weak filesystem permissions, enabling unauthorized API use.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are broad, generic, and likely to match ordinary user requests about making videos, which can cause the skill to activate unexpectedly. In this skill, unintended activation could send user prompts or content to an external video-generation API without sufficiently clear user intent or awareness, increasing privacy and misuse risk.

Vague Triggers

Low

Confidence: 83% confidence
Finding: The task-status examples include very short and ambiguous phrases such as asking whether there was an error, which are too generic to safely distinguish from normal conversation. This can lead to accidental routing into the skill and unintended disclosure or use of task identifiers and external API calls.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill description does not warn users that their prompts and related task data will be transmitted to a third-party video-generation service. Without clear disclosure and consent, users may provide sensitive information that is then sent externally, creating privacy, compliance, and trust risks.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The configuration section instructs use of access and secret keys but provides no warning about secure storage, rotation, or preventing exposure of credentials. This increases the likelihood of insecure secret handling, which could lead to API key leakage and unauthorized use of the external service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script sends the user-supplied prompt to VolcEngine's external API as part of the request body, but the code does not provide any explicit disclosure, consent flow, or warning that prompt contents will leave the local environment. If prompts may contain sensitive data, users can unknowingly transmit confidential information to a third party and have it logged or retained externally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal