Image To Video No Credits

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised image-to-video workflow, but its “no credits” claim conflicts with its own credit-token workflow and it automatically connects to a third-party backend.

Review this carefully before installing. Use only a dedicated NEMO token or anonymous token, do not upload private or regulated media unless you trust NemoVideo’s handling of it, and assume the workflow may involve limited free credits, balance checks, account binding, or subscription-tier restrictions despite the “no credits” wording.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill repeatedly claims operation 'without using any credits,' yet the setup explicitly acquires a token with 100 free credits and later handles credit exhaustion and balance checks. This is deceptive billing/consumption behavior that can mislead users into authorizing backend actions under false assumptions about cost and account usage.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs automatic connection to a third-party backend and transmission of user images/prompts using environment credentials, but does not provide clear up-front user notice or consent for remote processing. Because uploaded media may be sensitive, silent exfiltration to an external service creates meaningful privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal