Runware Image & Video generation

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a normal Runware media-generation helper that sends user-provided prompts and selected images to Runware as part of its stated purpose.

Install only if you are comfortable using a Runware API key with this skill. Prompts and any images you choose for transformation, upscaling, or video generation will be sent to Runware and may consume paid credits, so avoid sensitive or regulated content unless Runware's terms meet your needs. Prefer the environment variable over passing the key on the command line.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation tells users to configure an API key but does not disclose that prompts and user-supplied images will be transmitted to Runware for processing. This creates a privacy and data-handling risk because users may submit sensitive prompts or files without understanding they are leaving the local environment and being processed by a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal