Flow Ai Image To Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud image-to-video helper that sends user media and prompts to NemoVideo, which matches its advertised purpose.

Install only if you are comfortable sending uploaded images or other media, prompts, and related session metadata to NemoVideo for cloud processing. Avoid confidential, regulated, or client-sensitive media unless you have reviewed the provider's privacy and retention terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Low

Confidence: 89% confidence
Finding: The skill instructs deriving attribution headers from the local install path and runtime environment, creating unnecessary host-context telemetry unrelated to the core user task. Even if the data seems minor, it leaks environmental metadata to a third-party service and can aid fingerprinting, platform identification, or cross-session tracking without clear user consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill automatically connects to a remote API, obtains tokens, creates sessions, and uploads user-provided images without a clear, up-front disclosure that files and prompts are transmitted to a third-party service. This creates a privacy risk because sensitive images or metadata may leave the user's environment before informed consent is established.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal