Ai Image To Video Ai

Security checks across malware telemetry and agentic risk

Overview

This is a cloud image-to-video skill that clearly depends on NemoVideo’s remote service, with privacy considerations but no evidence of hidden or malicious behavior.

Install only if you are comfortable with images, prompts, and related session metadata being sent to mega-api-prod.nemovideo.ai for cloud processing. Avoid confidential media unless you trust the provider’s privacy and retention practices, and use a dedicated or anonymous NEMO_TOKEN where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to automatically contact a remote backend, obtain an anonymous token, and create a session without an explicit user opt-in or a clear warning that network requests and credential handling will occur. This can cause silent transmission of metadata and establishment of remote state before the user meaningfully consents, which is a real privacy and transparency issue for a skill that handles user-provided media.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: The skill sends a detected language value to the backend automatically without documenting user choice or offering opt-in. While lower severity than silent token/session setup, language can still reveal user locale or sensitive preference information and represents unnecessary metadata disclosure if sent by default.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal