Dream Avatar

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward DreamAvatar video-generation skill, but users should understand that selected images and audio are sent to an external service.

Install only if you are comfortable providing a DreamAPI key and sending the chosen images, photos, voices, or audio clips to the DreamAvatar/NewportAI workflow. Avoid sensitive media unless you accept temporary externally reachable file URLs, and revoke or rotate the API key when you no longer use the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly supports local image and audio inputs and later states those files are automatically uploaded to OSS and exposed via generated public URLs, but the user-facing local-file option does not warn about this data transfer. This creates a meaningful privacy and consent issue because users may believe files are processed locally or only transiently, when in fact sensitive media is sent to a third party and made publicly reachable for a period of time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal