Back to skill

Security audit

PixVerse AI Image and Video Generator

Security checks across malware telemetry and agentic risk

Overview

This PixVerse skill mostly matches its media-generation purpose, but it needs Review because it can spend account credits, upload local media, delete assets, and persist account/workspace state without consistently requiring confirmation or privacy warnings.

Install only if you trust the PixVerse CLI and are comfortable with cloud processing. Before letting an agent use it, require confirmation for paid generations, local file uploads, asset deletion, and workspace switches; avoid sensitive media or voice files; protect ~/.pixverse/ and PIXVERSE_TOKEN; and run the update scripts only in a git checkout you are comfortable modifying.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Intent-Code Divergence

High
Confidence
86% confidence
Finding
The skill claims it only optimizes prompt text and 'does not select models, quality, or other parameters,' yet it instructs the agent to always recommend '--audio --multi-shot'. This creates a hidden scope expansion where a text-only transformation skill can influence execution parameters, potentially causing unintended tool behavior, extra costs, longer runtimes, or altered outputs without clear user consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly states that the auth token is stored under `~/.pixverse/` but does not warn that this is sensitive credential material or recommend restrictive file permissions and avoidance of sharing/backing up that directory. If users or downstream agents treat that path as ordinary config data, the token could be exposed through backups, support bundles, screenshots, or multi-user systems, enabling account access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends `PIXVERSE_TOKEN` as an override mechanism without warning that environment variables are often exposed to child processes, process inspection tools, CI logs, shell history via export commands, and crash reports. This can cause inadvertent credential leakage, especially in automated agent or CI/CD environments where env vars are widely propagated.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The multiple-image editing section instructs users to provide local file inputs, but unlike the single-image workflow it does not repeat that local files are auto-uploaded to PixVerse cloud storage and should not contain sensitive or confidential content. This omission can mislead users into uploading multiple private images without realizing they are being transmitted off-device, increasing the risk of inadvertent data exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly states that when a local file path is provided, the CLI uploads the video to PixVerse cloud storage, but it does not warn the user that local media will leave the machine and be transmitted to a third party. This is a real privacy/security issue because users may unknowingly upload sensitive or proprietary video content, especially in automation contexts where local-path inputs are common.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs users to provide local video and audio file paths to `pixverse create` operations, which implies those files may be uploaded to PixVerse for processing, but it gives no warning that local media is transmitted to a third-party service. This creates a real privacy and data-handling risk because users may unknowingly send sensitive or proprietary media off-device under the assumption the tool is purely local CLI processing.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill instructs users to provide local image/video paths and to download generated assets, but it does not warn that those files may be uploaded to a third-party service or that downloaded outputs should be treated as untrusted content. In an agent setting, this omission can lead to unintended disclosure of sensitive local media and unsafe handling of remote files because the workflow normalizes file transfer without explicit consent or safety guidance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to supply local file paths or remote image URLs to a third-party service but does not explicitly warn that those images will be transmitted off-device to PixVerse. This creates a real privacy and data-handling risk because users may provide sensitive personal, proprietary, or regulated images without understanding they are being uploaded externally.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation instructs agents to use `workspace switch`, which persistently changes the active workspace across sessions and alters which credits and assets subsequent commands affect, but it does not prominently require user confirmation or warn about the risk of cross-workspace actions. In an agent setting, this can cause unintended spending, data access confusion, or actions against the wrong personal/team workspace after the switch has occurred.

Session Persistence

Medium
Category
Rogue Agent
Content
Key facts:
- The **server** is the source of truth for the active workspace — the CLI syncs with it
- All creation commands (`create video`, `create image`, etc.) automatically operate in the active workspace via the `Workspace-Id` HTTP header
- Switching workspace changes which credits are consumed and which assets are visible
- Workspace state persists across CLI sessions in `~/.pixverse/`
Confidence
90% confidence
Finding
create video`, `create image`, etc.) automatically operate in the active workspace via the `Workspace-Id` HTTP header - Switching workspace changes which credits are consumed and which assets are visi

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.