Back to skill

Security audit

infinimo-ai-design-video-create

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Infinimo video-generation helper that sends chosen prompts and media files to the documented Infinimo API, with no evidence of hidden execution, persistence, or malicious data handling.

Install only if you are comfortable sending selected prompts and media files to Infinimo/clawec.com using your API token. Avoid uploading sensitive or private media unless you understand the provider’s retention and privacy terms, and treat the documented delete endpoint as a manual destructive action that may remove remote generation history or results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill documents executable shell usage (`bash scripts/...`) while the manifest does not declare corresponding permissions or capabilities. This creates a transparency and control gap: users or orchestrators may not realize the skill can invoke local shell scripts that perform network calls, file uploads, or deletions.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill description focuses on generation, uploads, estimates, and polling, but the documentation also exposes a deletion endpoint for video logs/results. Undocumented destructive functionality increases the risk of accidental or unauthorized data loss because users and policy systems may not expect the skill to remove records.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to upload images, video, and audio assets to a third-party remote API without any privacy, retention, or data-handling warning. This is dangerous because users may submit sensitive media without understanding that it leaves the local environment and may be stored, processed, or retained by the provider.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The documented delete endpoint appears without any warning that it removes stored generation logs or results. Even if deletion is intended, lack of warning can cause accidental destruction of user history or outputs, especially in automated agent flows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script uploads an arbitrary local file to a remote third-party endpoint with no prompt, warning, confirmation, or inline disclosure about the transfer. In a skill that processes user-provided media this may be functionally expected, but the lack of explicit disclosure increases the risk of accidental exfiltration of sensitive local files if a user passes the wrong path or does not realize data leaves the machine.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.