Hailuo Video Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward MiniMax video-generation helper with expected API-key use and no hidden executable behavior.

Install only if you are comfortable letting the agent use your MiniMax API key to submit prompts and reference image URLs to MiniMax, query task status, and download videos. Prefer an environment variable or protected config file for the key, use a revocable key where possible, and change the sample output filename if video.mp4 already exists.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The example downloads remote content directly to a fixed local filename (`video.mp4`) without warning that it will write to disk and may overwrite an existing file. This is a low-severity safety issue because users may unintentionally clobber local data or save untrusted content without review.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The skill instructs users to store an API key in a local config file but does not warn about file permissions, secret handling, or avoiding committing the file to source control. This increases the risk of credential exposure through weak permissions, backups, logs, or accidental sharing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal