Image To Video Make

Security checks across malware telemetry and agentic risk

Overview

This appears to be a cloud video-generation skill whose remote token, session, upload, and SSE workflow fit its stated purpose, but users should understand that prompts or media may be sent to the provider.

Install only if you are comfortable using NemoVideo-style cloud processing. Avoid sending private, confidential, or regulated content unless you trust the provider and confirm what will be uploaded or forwarded before generation starts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The catch-all rule routes 'Everything else' to the SSE chat backend, meaning ambiguous or unrelated user text may be forwarded to a remote service automatically. In a skill that can create sessions and send user content to an external backend, this increases the chance of unintended data disclosure or unintended remote actions from loosely matched prompts.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to automatically connect to a backend and, if needed, generate a client identifier and obtain an anonymous auth token without clear upfront user consent. This is dangerous because it initiates external network/authentication activity and account-like session creation implicitly, which can surprise users and send metadata to a third party before they knowingly opt in.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal