Security audit

Image To Video Gen

Security checks across malware telemetry and agentic risk

Overview

The skill is a straightforward image-to-video workflow that uses Google APIs and saves generated artifacts locally, with privacy and cleanup caveats.

Install only if you are comfortable uploading the images and prompts you provide to Google services and keeping generated files under ~/.openclaw/workspace/tibetanProc/. Avoid confidential, personal, or regulated images unless that sharing and local retention are acceptable, and clean the output directory when needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill sends user-provided images and derived prompts to external Google APIs, but the documentation does not clearly warn users that their content leaves the local environment. This can cause unintended disclosure of sensitive images or generated descriptions, especially if users assume processing is local.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The metadata and description state that outputs are written to a fixed workspace directory, but users are not clearly warned that multiple local artifacts will be created and retained there. This can expose sensitive prompts, images, and generated media to other local users, backups, or later unintended reuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.