Image To Video Like Grok

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a coherent cloud image-to-video helper, but users should know their media and prompts are sent to nemovideo.ai.

Install only if you are comfortable sending selected images, prompts, and render jobs to nemovideo.ai and using its token/credit system. Avoid sensitive personal or proprietary media unless you trust that backend's privacy and retention practices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The example utterances are extremely generic phrases like "convert my images" and "export 1080p MP4," which can collide with normal conversation and cause unintended invocation of a network-enabled skill. Because this skill can automatically obtain tokens, create cloud sessions, upload media, and trigger paid or quota-limited operations, accidental activation has meaningful security and cost implications beyond simple UX confusion.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The routing table sends "Everything else" to the SSE action, creating a catch-all trigger that can treat nearly any unmatched user text as an instruction to a remote backend. In this skill, that is more dangerous than usual because the SSE path can drive edits and cloud render actions indirectly, increasing the chance of unintended external requests, media processing, session mutation, and credit consumption from ordinary chat.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal