Security audit

Hailuo Video

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Hailuo video-generation skill that sends user-directed requests to AceDataCloud’s external API and does not include hidden code or persistence.

Install only if you are comfortable sending video prompts, source image URLs, and any callback URL you configure to AceDataCloud/Hailuo. Avoid secrets, private internal URLs, proprietary images, or regulated data unless you have approved that provider and understand its retention and billing terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill documentation instructs users to send prompts, image URLs, and optional callback URLs to AceDataCloud's external API but does not clearly warn that this data leaves the local environment and is processed by a third party. This creates a privacy and data-handling risk because users may unknowingly submit sensitive text, internal image links, or callback endpoints to an external service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.