ClawHub
Back to skill

Security audit

Luma Video

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal third-party video-generation API skill, but users should treat prompts, image URLs, and API tokens as data sent to an external service.

Install only if you are comfortable sending generation prompts, image URLs, video IDs, and related metadata to AceDataCloud/Luma. Use a dedicated API token, do not include secrets or private/internal URLs in prompts, and review the provider's privacy and retention terms for confidential work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs users to send prompts and optional reference image URLs to a third-party API, but it does not clearly warn that user-provided content will leave the local environment and be processed by an external service. This can lead to unintended disclosure of sensitive prompts, private image URLs, or internal resource links if users assume the skill operates locally or do not understand the data-sharing implications.

External Transmission

Medium
Category
Data Exfiltration
Content
## Quick Start

```bash
curl -X POST https://api.acedata.cloud/luma/videos \
  -H "Authorization: Bearer $ACEDATACLOUD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"prompt": "a drone flying over a mountain lake at sunrise", "action": "generate", "wait": true}'
Confidence
84% confidence
Finding
curl -X POST https://api.acedata.cloud/luma/videos \ -H "Authorization: Bearer $ACEDATACLOUD_API_TOKEN" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Quick Start

```bash
curl -X POST https://api.acedata.cloud/luma/videos \
  -H "Authorization: Bearer $ACEDATACLOUD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"prompt": "a drone flying over a mountain lake at sunrise", "action": "generate", "wait": true}'
Confidence
84% confidence
Finding
https://api.acedata.cloud/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal