mux-video
Facilitates video uploading, management, and embedding using Mux's API and CLI, streamlining video workflows for developers.
Install this skill
Security score
The mux-video skill was audited on Mar 7, 2026 and we found 45 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 43 | ```bash |
Template literal with variable interpolation in command context
| 62 | ```bash |
Template literal with variable interpolation in command context
| 79 | ```bash |
Template literal with variable interpolation in command context
| 88 | ```bash |
Template literal with variable interpolation in command context
| 94 | ```bash |
Template literal with variable interpolation in command context
| 100 | ```bash |
Template literal with variable interpolation in command context
| 106 | ```bash |
Template literal with variable interpolation in command context
| 122 | ``` |
Template literal with variable interpolation in command context
| 127 | ``` |
Template literal with variable interpolation in command context
| 134 | ```html |
Template literal with variable interpolation in command context
| 214 | ```bash |
Curl to non-GitHub URL
| 44 | curl https://api.mux.com/video/v1/assets \ |
Curl to non-GitHub URL
| 63 | curl https://api.mux.com/video/v1/uploads \ |
Curl to non-GitHub URL
| 89 | curl https://api.mux.com/video/v1/assets \ |
Curl to non-GitHub URL
| 95 | curl https://api.mux.com/video/v1/assets/${ASSET_ID} \ |
Curl to non-GitHub URL
| 101 | curl -X DELETE https://api.mux.com/video/v1/assets/${ASSET_ID} \ |
Curl to non-GitHub URL
| 107 | curl https://api.mux.com/video/v1/assets \ |
Curl to non-GitHub URL
| 215 | curl https://api.mux.com/video/v1/assets \ |
Webhook reference - potential data exfiltration
| 4 | description: "Upload, manage, and embed videos via Mux. Covers direct uploads, API asset management, webhook event flow, playback embedding, and the Mux CLI. Use when uploading video, creating assets, |
Webhook reference - potential data exfiltration
| 11 | - webhooks |
Webhook reference - potential data exfiltration
| 16 | Upload, manage, and embed videos through Mux's API and CLI. Integrates with joelclaw's webhook infrastructure and Inngest event pipeline. |
Webhook reference - potential data exfiltration
| 20 | Triggers on: "upload video to mux", "create mux asset", "embed mux video", "check video status", "mux playback", "direct upload", "video encoding", "mux webhook", or any task involving video hosting v |
Webhook reference - potential data exfiltration
| 28 | - `mux_signing_secret` — webhook signing secret (per-endpoint, HMAC) |
Webhook reference - potential data exfiltration
| 155 | ## Webhook Events |
Webhook reference - potential data exfiltration
| 157 | Mux webhooks are registered at: `https://panda.tail7af24.ts.net/webhooks/mux` |
Webhook reference - potential data exfiltration
| 159 | The webhook provider (`packages/system-bus/src/webhooks/providers/mux.ts`) handles HMAC-SHA256 verification and normalizes events into the Inngest pipeline. |
Webhook reference - potential data exfiltration
| 212 | Always set `passthrough` when creating assets or uploads. This is your correlation ID that flows through all webhook events: |
Webhook reference - potential data exfiltration
| 228 | - **Always use `passthrough`** for tracking — it's your only way to correlate webhooks back to your records. |
Webhook reference - potential data exfiltration
| 229 | - **Don't poll for status** in production — use webhooks. Mux has rate limits. |
Webhook reference - potential data exfiltration
| 230 | - **Webhook signing secret is per-endpoint** — it's the secret you get when registering the webhook URL in the Mux dashboard, NOT the API token secret or signing key. |
External URL reference
| 44 | curl https://api.mux.com/video/v1/assets \ |
External URL reference
| 49 | "input": [{"url": "https://example.com/video.mp4"}], |
External URL reference
| 63 | curl https://api.mux.com/video/v1/uploads \ |
External URL reference
| 89 | curl https://api.mux.com/video/v1/assets \ |
External URL reference
| 95 | curl https://api.mux.com/video/v1/assets/${ASSET_ID} \ |
External URL reference
| 101 | curl -X DELETE https://api.mux.com/video/v1/assets/${ASSET_ID} \ |
External URL reference
| 107 | curl https://api.mux.com/video/v1/assets \ |
External URL reference
| 112 | "input": [{"url": "https://example.com/video.mp4"}], |
External URL reference
| 123 | https://stream.mux.com/${PLAYBACK_ID}.m3u8 |
External URL reference
| 128 | https://image.mux.com/${PLAYBACK_ID}/thumbnail.jpg |
External URL reference
| 129 | https://image.mux.com/${PLAYBACK_ID}/thumbnail.jpg?time=10 |
External URL reference
| 130 | https://image.mux.com/${PLAYBACK_ID}/animated.gif?start=5&end=10 |
External URL reference
| 157 | Mux webhooks are registered at: `https://panda.tail7af24.ts.net/webhooks/mux` |
External URL reference
| 215 | curl https://api.mux.com/video/v1/assets \ |
External URL reference
| 220 | "input": [{"url": "https://example.com/video.mp4"}], |
Install this skill with one command
/learn @joelhooks/mux-video