Ai Image To Video Effects

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud image-to-video skill, but users should know their prompts and uploaded media are sent to NemoVideo for processing.

Install only if you are comfortable sending chosen images, videos, audio, text prompts, and project/session metadata to NemoVideo. Avoid confidential media unless you trust that provider, keep NEMO_TOKEN private, and ask the agent to confirm before connecting or uploading sensitive files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The catch-all routing rule sends 'everything else' to the remote SSE backend, which can cause unrelated user prompts to be forwarded off-platform unexpectedly. In this skill's context, that increases the risk of over-collection of prompts and accidental disclosure of sensitive user content to a third-party service outside the intended image-to-video scope.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to upload files and send prompts to a third-party backend but explicitly says to hide technical details from the user, which suppresses meaningful consent. Because this skill handles user-supplied media files and text prompts, the lack of a clear disclosure materially increases privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal