PonyFlash - Media Generation Router

Security checks across malware telemetry and agentic risk

Overview

The skill’s media-generation purpose is coherent, but it asks users to put a live API key in chat and under-explains when private media or prompts leave the local machine.

Install only if you are comfortable using PonyFlash as a cloud media processor. Do not paste your API key into chat; set it through a secure secret manager or environment variable instead. Avoid using sensitive photos, audio, videos, brand assets, or confidential prompts unless you understand PonyFlash and third-party search/data handling, and review outputs and costs before running expensive generation steps.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The invocation language is very broad (`create`, `generate`, `produce`, `edit`, `render`, etc.), which can cause the skill to activate for loosely related requests. Over-broad triggering is dangerous because it increases the chance the agent enters a shell/file/network-capable workflow when a simpler or safer skill should have handled the task.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The examples show uploading local image, audio, and video files and also passing a remote URL into generation APIs, but they do not warn users that these inputs may be transmitted to the PonyFlash service or fetched from external infrastructure. In a media-generation skill, this omission can cause accidental disclosure of sensitive local media or metadata because users may reasonably assume examples are purely local transformations unless the network behavior is made explicit.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The playbook description is very broad and overlaps with many common media-related requests, which can cause the skill to activate in situations where a narrower or safer skill would be more appropriate. In an agent environment, unintended activation can lead to over-collection of user data, unnecessary media generation steps, or execution of expensive downstream workflows without clear user intent.

Natural-Language Policy Violations

Medium

Confidence: 92% confidence
Finding: Mandating that all written communication be in English without user opt-in can override user language preference and create misunderstanding around requirements, approvals, subtitles, legal claims, or deliverables. In a video-production workflow that depends on precise confirmation at multiple checkpoints, this raises the risk of incorrect consent, wrong asset generation, and failures for non-English users.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation describes upload, presign, and resolve flows that send local file contents to a remote service, but it does not clearly warn users that local files may be transmitted off-device automatically. In this skill context, that matters because media-generation workflows commonly involve personal images, audio, or videos, and `generate()` auto-upload behavior increases the chance of accidental disclosure.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The documentation exposes `delete()` and `cleanup()` as destructive operations without calling out that they permanently remove uploaded files or may delete temporary artifacts. While this affects remote uploaded files rather than arbitrary local files, users may still invoke deletion without realizing the action is irreversible or best-effort cleanup may hide failures.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation states that `google_search` and `image_search` are available via `**extra_body` and notes they default to true, but it does not explicitly warn users that using `nano-banana-2` may cause external network lookups by default. In a media-generation skill, that can leak user prompts or derived query content to third-party services unexpectedly, which is a real privacy and compliance risk even though it is primarily a documentation/configuration issue rather than direct code execution.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation advertises `google_search` and `image_search` as enabled by default for real-time grounding, but it does not warn that prompts and possibly user-supplied reference context may be sent to external Google services. In a media-generation skill, users may provide sensitive prompts or private images, so the omission can lead to unintended data disclosure and poor consent around third-party processing.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs the user to paste an API key into chat and then uses that secret in commands/code. Chat channels are often logged, retained, or exposed to other tools and operators, so collecting secrets this way materially increases the risk of credential leakage and downstream account compromise.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The verification example initializes the SDK with the raw key value taken from chat, normalizing unsafe secret handling as part of the workflow. This raises the likelihood the key will be copied into transcripts, notebooks, shell history, or debugging output, which can expose a live credential tied to billable cloud actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal