IMA Studio Sevio AI Generation - Sevio 1.0 ,Sevio 1.0-Fast

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent IMA video-generation integration, but users should review it because local logs can retain sensitive request details and may capture an API key during some upload failures.

Install only if you trust IMA Studio and are comfortable sending prompts, selected media, and your IMA API key to the documented IMA services. Use a revocable API key, avoid uploading sensitive local media, and periodically inspect or delete ~/.openclaw/logs/ima_skills/ and ~/.openclaw/memory/ima_prefs.json, especially after failed local-media uploads.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 87% confidence
Finding: The high-level description understates materially relevant behaviors: sending the user's API key to a second domain for uploads and persisting user preferences/logs locally. This is dangerous because users may consent to video generation without realizing their credentials and local media may also be transmitted to another service and that per-user data is retained on disk.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script stores per-user preference data under `~/.openclaw/memory/ima_prefs.json`, including user-scoped identifiers, model usage history, and timestamps, even though the skill's core function is video generation. Undisclosed local persistence expands the data footprint and creates privacy and multi-user leakage risk on shared systems, especially because the file path is predictable and there is no access control or retention policy in this code.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code writes local preference data to disk without any user-facing warning, consent flow, or visible disclosure at the point of collection. That creates a privacy transparency issue and can surprise users or administrators, particularly on shared hosts where saved preferences may reveal account usage patterns and model selections across sessions.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal