Back to skill

Security audit

p-image-ideogram

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a media-generation guide, but it overreaches beyond still images and under-discloses third-party handling of prompts, images, and voice text.

Install only if you are comfortable with the agent using third-party media APIs. Avoid confidential prompts, private images, regulated data, or real-person likeness and voice content unless you have rights and consent. Treat avatar/video and demographic-representation workflows as requiring explicit user approval rather than automatic behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The document materially broadens a photoreal still-image skill into a cross-skill pipeline spanning image generation, try-on, editing, upscaling, and avatar video. This kind of scope drift is dangerous because an agent selecting this skill may be induced to invoke adjacent capabilities the manifest does not authorize, weakening tool-boundary enforcement and increasing the chance of unintended data flow across tools.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill metadata says this skill is for high-fidelity photoreal stills, but the reference promotes anime, cel-shaded, claymation, and CG 3D workflows. That mismatch can cause an agent to apply the skill outside its declared trust boundary, producing unsupported outputs or routing user requests into different media-generation behaviors than intended.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The avatar-video section exceeds the skill's stated purpose and provides operational guidance for downstream video generation, including voice and motion planning. This is dangerous because it can steer an agent into unauthorized multimodal actions and cross-skill execution paths that users and policy layers may not expect from a still-image skill.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The example includes a concrete curl call to Replicate that sends the full prompt to an external API endpoint, but the surrounding guidance does not disclose that prompt contents will leave the local environment. In a skill context, users may paste proprietary creative briefs, names, or sensitive text into prompts, so the omission creates a real data-sharing risk even if the transfer is expected for the service to function.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The guidance tells the agent to vary protected or sensitive demographic attributes such as ethnicity, gender, age, body type, and disability aids as a default generation axis, without requiring user request or consent. That can cause unsolicited inference or insertion of sensitive traits into outputs, creating fairness, stereotyping, and policy-compliance risks in ordinary image-generation flows.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to make crowd ethnicity 'match' a named location by explicitly enumerating racial or ethnic groups as a default rule. This operationalizes demographic profiling and encourages race-based prompt construction tied to geography, which can reinforce stereotypes and produce discriminatory or exclusionary outputs.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation includes ready-to-run API calls that send prompts and authenticate with an API key to a remote service, but it does not warn users that content is transmitted off-platform or that credentials must be handled securely. In a skill context, users may paste sensitive prompts or mishandle environment variables without understanding the privacy and credential exposure implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This avatar example transmits image URLs and voice script content to an external API without a user-facing disclosure about remote processing. Because the content may include biometric-like face imagery, personal likeness, and authored speech, the omission increases the risk of privacy violations, unconsented data sharing, and inappropriate processing of sensitive media.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Like the previous avatar example, this example sends user-controlled media and script content to a remote service without clearly disclosing external transmission. In this skill's context, the data concerns generated character/avatar assets and spoken content, so silent sharing can mislead users about privacy, retention, and downstream use of their inputs.

External Transmission

Medium
Category
Data Exfiltration
Content
-H 'Model: p-video-avatar' \
  -d '{
    "input": {
      "image": "https://api.pruna.ai/v1/files/APPROVED_STILL_ID",
      "voice_script": "Hey — we put the patchwork set on a real street plate, not a white studio. Face and background stayed put.",
      "voice": "Puck (Male)",
      "voice_language": "English (US)",
Confidence
90% confidence
Finding
https://api.pruna.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
-H 'Model: p-video-avatar' \
  -d '{
    "input": {
      "image": "https://api.pruna.ai/v1/files/ANIME_STILL_ID",
      "voice_script": "So — same motion grammar, totally different world. That is the point of planning each scene.",
      "voice": "Zephyr (Female)",
      "voice_language": "English (US)",
Confidence
90% confidence
Finding
https://api.pruna.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
## p-image-ideogram (Pruna deployment)

Deployment: `prunaai/p-image-ideogram-preview`  
Endpoint: `POST https://api.replicate.com/v1/deployments/prunaai/p-image-ideogram-preview/predictions`  
Required input: `prompt`  
Optional: `mode` (`very low` · `low` · `medium` default · `high` · `very high`), `aspect_ratio`, `image_size`, `width`, `height` (when `aspect_ratio=custom`), `seed`, `output_format`, `output_quality`
Confidence
84% confidence
Finding
https://api.replicate.com/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.