Image To Video Creator Ai

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud image-to-video skill that sends selected media and prompts to NemoVideo, with no evidence of hidden local code or destructive behavior.

Install only if you are comfortable sending chosen images, media URLs, editing prompts, and project state to NemoVideo's cloud service. Keep NEMO_TOKEN private, avoid sensitive or confidential media unless that provider is acceptable for it, and review generated exports before sharing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: Routing 'everything else' to the generation/SSE action creates an overly broad trigger that can cause unintended remote requests and processing for ambiguous or unrelated user input. In this skill, that is more concerning because the fallback sends content to an external API-backed workflow, increasing the chance of accidental data transmission or misuse outside the stated image-to-video scope.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to automatically obtain tokens, create sessions, and connect to a third-party cloud API before doing anything else, without a clear upfront consent step explaining that user data and files will be transmitted off-platform. This is dangerous because users may provide images or prompts expecting local handling, while the skill silently initiates external authentication and remote processing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal