IMA Seedance2.0 Video Generator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate video-generation skill, but it has meaningful privacy and network-safety concerns that users should review before installing.

Review the skill before installing if you may use private prompts, proprietary media, personal images, or internal URLs. Treat all prompts, URLs, and local media inputs as potentially sent to external IMA-related services, avoid enabling auto-consent unless you control the environment, and prefer only public or approved media until the disclosure and URL-download safeguards are tightened.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill description emphasizes video generation, but the metadata admits materially broader behavior: uploading local media to a separate domain, downloading remote media for inspection, performing compliance-verification calls, emitting interactive events, and persisting per-key preferences locally. This mismatch is dangerous because users and orchestrators may grant trust or consent based on the narrower description, while the skill actually expands data exposure, third-party transmission, and local persistence beyond what is prominently disclosed.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The flow explicitly states that no compliance verification is required, which is unsafe in a media-generation skill that can also operate across broader reference-media workflows and likely serves user-generated content. Even in a text-to-video path, skipping policy and safety checks can allow abusive, infringing, or otherwise disallowed generation requests to be sent directly to the external provider.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The documentation creates a safety contradiction: one section says execution must stop when user requirements cannot be met, while a later section promotes automatic degradation and retries that reduce resolution/duration. In a media-generation skill, this can cause the agent to silently produce output that no longer satisfies explicit user constraints, undermining requirement integrity and potentially bypassing user intent or policy-sensitive boundaries.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The consent text states that media files are 'only analyzed, not stored or shared,' but the code sends asset URLs and names to an external verification service. This is a privacy and transparency issue because users may be misled about third-party data disclosure, especially when remote URLs can expose sensitive resources or identifiers.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documented flow collects a prompt, creates a task, and polls results without warning that the user's prompt content will be transmitted to an external service. This creates a privacy and transparency gap that can expose sensitive or proprietary user input, especially in enterprise or confidential creative workflows.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The instructions encourage users to pass external image, video, and audio URLs into a third-party video generation workflow without any privacy warning, consent guidance, or note that referenced media may be uploaded to the provider. This can lead to unintended disclosure of sensitive or proprietary media, especially because the skill explicitly supports multiple reference modalities and makes such usage look routine and low-risk.

Missing User Warnings

Medium

Confidence: 76% confidence
Finding: The create_task call transmits user prompts and referenced media URLs to api.imastudio.com, and this file contains no mechanism to ensure the user is explicitly informed or has consented to that external disclosure. In a media-generation skill, prompts and media can contain sensitive personal, proprietary, or confidential data, so silent transmission creates a real privacy risk even if it is functionally necessary.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The code uploads local media files to a remote OSS service automatically when a non-URL source is provided, but the user-facing warning exists only in internal documentation/comments rather than at the point of execution. In a skill context, this creates a real privacy and data-handling risk because users may supply local files expecting local processing, while the skill silently transfers them to a third-party remote service.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This function performs unrestricted outbound requests to attacker-controlled URLs and writes the response body to disk without host allowlisting, scheme restrictions, size limits, or content validation. In a skill that accepts remote media inputs, this can enable SSRF against internal services and resource-exhaustion attacks through very large downloads.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: description: Optional stdout mode toggle for event-stream integrations. Supported values are events, mixed, and auto. - name: IMA_AUTO_CONSENT required: false description: Optional non-interactive flag to auto-approve asset compliance verification prompts. - name: IMA_DEBUG required: false description: Optional debug flag that enables verbose logging for troubleshooting.
Confidence: 88% confidence
Finding: auto-approve

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal