Image Creator Free

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-generation helper that sends prompts and media to Nemo Video, which fits its stated purpose but requires privacy-aware use.

Install only if you are comfortable sending prompts, uploaded images, video/audio files, URLs, and draft/edit state to the Nemo Video cloud backend under a NEMO_TOKEN or anonymous token. Avoid confidential or proprietary media unless you trust that service, and ask the agent to confirm before acting on vague generation or edit requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The routing table sends all unmatched requests to the SSE generation/edit action, which can cause accidental execution of remote backend operations for ambiguous user input. In a skill that uploads content and sends prompts to a cloud service, a broad catch-all increases the chance of unintended data transmission or edits without clear user intent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill does not prominently warn users that their prompts, uploaded images, and related content are transmitted to a third-party cloud backend for processing. This creates a privacy and data-handling risk because users may share sensitive media or text without informed consent, especially given the broad upload and generation workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal