Image To Video

Security checks across malware telemetry and agentic risk

Overview

This is a coherent image-to-video guide that relies on a third-party CLI and account login, with disclosed but real installation and data-sharing risks.

Install only if you are comfortable trusting inference.sh. Prefer the manual download and checksum path over piping the installer directly to `sh`, review infsh commands before approving them, and avoid using private images or sensitive prompts unless you accept that they may be sent to external model providers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs users to execute a shell script fetched directly from the internet via `curl ... | sh`, which allows arbitrary code execution if the remote host, distribution path, DNS, TLS termination, or supply chain is compromised. Although the surrounding note mentions checksum verification, that verification occurs inside the downloaded script itself, so the initial trust boundary is still the remote script being executed blindly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal