runninghub-video

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed RunningHub video-generation helper that uploads user-selected images and saves generated videos locally as part of its stated purpose.

Install only if you intend to send selected images, prompts, and API-authenticated requests to RunningHub. Use a dedicated output directory, avoid sensitive images unless external processing is acceptable, and prefer the RUNNINGHUB_API_KEY environment variable over passing the key directly on the command line.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to upload local files to a third-party service and to download outputs locally, but it does not require any user-facing warning or confirmation about external data transfer or disk writes. In context, this is more dangerous because the skill is specifically designed to handle local media paths automatically, so users may unintentionally expose sensitive files or create local artifacts without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal