05 Image To Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward image-to-video API wrapper, but users should know their image URL is sent to the configured external provider.

Install only if you trust the API_BASE provider you configure. Do not use private, sensitive, regulated, or copyrighted image URLs unless that provider's privacy, retention, and usage terms are acceptable, and prefer a limited-scope API key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill states that it uses a general image-to-video model and requires external API configuration, but it does not warn users that supplied image data may be transmitted to a third-party service. This creates a privacy and data-handling risk, especially if users provide sensitive, copyrighted, or personal images without understanding where the data goes.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This skill sends a user-supplied image URL to an external API along with a bearer credential, but provides no validation, restriction, or disclosure around that data transfer. That creates a privacy and trust issue because user input is exfiltrated to a third party, and if the upstream service dereferences the URL it may also enable SSRF-style abuse or unintended access to internal resources depending on deployment context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal