Back to skill

Security audit

Dream Talking Image

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill appears to use a Dream/Newport API key to generate talking videos from user-provided image and audio URLs, with no hidden code or persistence found.

Install only if you intend to use the Dream/Newport talking-image service. Avoid submitting private, biometric, regulated, confidential, copyrighted, or signed/expiring media URLs unless you are comfortable with that third party processing them, and consider using a provider key with spending or usage limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes providing photo and audio URLs to a third-party API but does not clearly warn users that their supplied media locations and associated content will be transmitted to an external service. This creates a real privacy and data-handling risk because users may submit sensitive images, voice recordings, or signed URLs without informed consent about off-platform processing.

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.