Image To Video Bot

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud image-to-video connector with expected external uploads, but users should know their media and prompts are sent to NemoVideo.

Install only if you are comfortable sending selected images, prompts, and render metadata to NemoVideo's cloud service. Avoid confidential media unless you trust that service's retention and privacy practices, and prefer using your own NEMO_TOKEN if you want account-level control instead of an anonymous starter token.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to establish a backend connection before handling any user request and to upload user images and prompts to a third-party cloud API, while explicitly hiding technical details from the user. That creates a real privacy and informed-consent risk because sensitive media and text may be transmitted off-platform without a clear user-facing disclosure or opt-in at the point of transfer.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal