Back to skill

Security audit

Video Prompt Generator

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it generates video prompts by sending your topic and any public image URLs to NanoPhoto's API.

Install only if you trust NanoPhoto with the topics and public image URLs you submit. Store the API key in the platform's secure skill environment rather than chat or command-line arguments, and remember that generation may consume NanoPhoto credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs users to provide publicly accessible image URLs to a third-party API but does not warn that doing so may expose sensitive images, metadata, or access patterns beyond the user's control. In the context of a prompt-generation skill, users may reasonably paste personal or proprietary image links without realizing they are being shared externally, creating a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits user-provided topic text and optional image URLs to a third-party service at nanophoto.ai, but the code itself provides no explicit runtime disclosure or consent mechanism before sending potentially sensitive user content off-host. In a prompt-generation skill this data flow is functionally expected, but it still creates a real privacy/security concern if operators or downstream users assume inputs are processed locally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.