Ai Image To Video K

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud image-to-video skill whose remote upload, token, session, and export behavior fit its stated purpose, with privacy guidance needed for user media.

Install only if you are comfortable sending images, prompts, and related session data to nemovideo.ai for cloud processing. Avoid using sensitive or private media, and be aware that broad edit prompts may be forwarded to the service as part of generation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The catch-all rule routes essentially any unmatched prompt to the SSE generation action, which can cause over-collection of user input and unintended transmission of arbitrary requests to the remote API. In practice, this weakens user-intent validation and can make the skill act on unrelated prompts, increasing the risk of privacy leakage or misuse of backend capabilities beyond the advertised scope.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to upload files, acquire tokens, and create remote sessions without clearly warning users that their images and prompts are sent to a third-party cloud service. This is dangerous because users may share sensitive media under the assumption processing is local, creating a privacy and consent failure even if the backend itself is legitimate.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal