AI Image & Video Generation

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward VibeVideo API helper that uses a user-provided API key to generate or manage media tasks.

Install only if you trust VibeVideo with the prompts, generation parameters, and image URLs you provide. Keep VIBEVIDEO_API_KEY secret, monitor credit usage because generation can spend paid credits, and avoid submitting private or internal media URLs unless you intend to share them with the provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill sends user prompts and potentially user-supplied image URLs to an external third-party API, but it does not clearly warn users that their content leaves the local environment. This can lead to unintended disclosure of sensitive prompts, proprietary media references, or personal data embedded in URLs.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The skill requires a sensitive API key and demonstrates authenticated requests, but it does not explicitly warn against exposing the key in logs, transcripts, screenshots, or shared shell history. While the examples do not directly print the key, lack of handling guidance increases the chance of accidental credential leakage during use or troubleshooting.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal