Back to skill

Security audit

Runware Image & Video generation

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a normal Runware media-generation helper that sends user-chosen prompts and images to Runware and saves generated media locally.

Install only if you are comfortable sending prompts and any selected source images to Runware and using a Runware API key with this skill. Generated requests may consume paid credits. Prefer RUNWARE_API_KEY over --api-key so the key is less likely to appear in shell history or process listings, and avoid sensitive or regulated media unless Runware's terms meet your needs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation instructs users to supply an API key via environment variable or CLI flag and describes scripts that call an external service, which implies both environment access and network access. When a skill uses sensitive capabilities without explicitly declaring permissions, users and reviewers may not understand the trust boundary or data exfiltration risk, especially because prompts, images, and API credentials may be sent to a third-party service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.