Ai Animation Photo

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only photo animation skill that sends media and prompts to NemoVideo’s cloud API for rendering, which is disclosed and aligned with its purpose.

Install only if you are comfortable sending photos, videos, audio, prompts, and timeline/render state to NemoVideo’s cloud service. Avoid uploading sensitive personal media unless you trust that provider, and be aware that ambiguous edit prompts may be forwarded to the service while the skill is active.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Routing essentially all unmatched prompts into the SSE generation path creates an overbroad trigger surface. In this skill context, that means unrelated or ambiguous user input may be forwarded to a cloud backend with session context and uploaded media, causing unintended processing, privacy exposure, or unexpected credit consumption.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to connect to external APIs and process user media in the cloud, but the user-facing description does not clearly warn that photos, prompts, and session metadata are transmitted to a third-party service. In a media skill handling personal images, that lack of transparent disclosure materially increases privacy and consent risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal