AI Media Generation En

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it uses an AIsa API key to generate images and videos and save requested outputs locally.

Install only if you trust AIsa and the publisher. Use a dedicated API key, avoid confidential prompts or private/internal image URLs, and treat downloaded media files as untrusted until validated.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Tainted flow: 'req' from os.environ.get (line 65, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: os.makedirs(os.path.dirname(out_path) or ".", exist_ok=True) req = urllib.request.Request(url, headers={"User-Agent": "OpenClaw-Media-Gen/1.0"}) try: with urllib.request.urlopen(req, timeout=timeout_s) as resp, open(out_path, "wb") as f: total = 0 while True: chunk = resp.read(1024 * 1024) # 1MB
Confidence: 86% confidence
Finding: with urllib.request.urlopen(req, timeout=timeout_s) as resp, open(out_path, "wb") as f:

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill instructs users to set an API key and send prompts, image URLs, and task data to a third-party service without an explicit privacy or data-handling warning. This can lead users to unknowingly transmit sensitive prompts or referenced media to an external provider, which is a real security and privacy concern in agent settings.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal