Hugging Face Free Video Generation

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as Hugging Face video generation, but it actually connects to NemoVideo cloud APIs and can send prompts, uploads, and tokens there.

Review this as a NemoVideo cloud-rendering integration, not simply a Hugging Face skill. Install only if you are comfortable sending prompts and any uploaded media to that provider, and avoid sensitive content or valuable account tokens unless the publisher clearly explains the provider relationship and data handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The invocation guidance uses generic phrases such as sharing prompts or telling the agent what the user is thinking, which can cause unintended activation during normal conversation. In a skill that immediately performs setup and contacts external APIs, accidental routing can trigger network requests, session creation, and token acquisition without clear user intent.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The example trigger phrase 'generate my text prompts' is overly vague and likely to overlap with common user requests unrelated to this specific skill. Because the skill then performs automatic authentication/session setup against a third-party service, ambiguous triggering increases the risk of unintended external data transmission and unauthorized consumption of anonymous tokens or credits.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal