Back to skill

Security audit

IMA AI Video Generator — Short & Promo Video, Text to Video, Image to Video Generation

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it uses your IMA API key, sends prompts and selected images to IMA services, and keeps small local preference/log files.

Install only if you trust IMA Studio with your API key, prompts, and any images you provide. Use a revocable or low-quota API key, avoid sensitive media, monitor credit usage, and periodically review or delete ~/.openclaw/memory/ima_prefs.json and ~/.openclaw/logs/ima_skills/ if local history matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
The script persistently stores per-user model preferences under ~/.openclaw/memory/ima_prefs.json, but this behavior is outside the stated video-generation scope. Undisclosed persistent storage can surprise users, create unnecessary retention of behavior metadata, and expose usage history to other local processes or users on shared systems.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
SKILL-DETAIL.md:378