Back to skill

Security audit

p-video-animate

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Pruna video-animation guide that sends user-chosen media to Pruna's API, with no hidden code, persistence, or destructive behavior found.

Install only if you are comfortable sending the selected video and reference image to Pruna for processing. Use media you have rights and consent to use, avoid sensitive personal footage unless appropriate, keep PRUNA_API_KEY in environment/secret storage, and do not paste full keys into chats, manifests, or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to upload image and video assets to a third-party API but does not provide any explicit warning about privacy, retention, consent, or handling of potentially sensitive biometric media. Because the assets include user images and videos, omission of disclosure can lead to unintended transfer of personal data to an external service and improper handling of regulated or confidential content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guidance explicitly tells the parent agent to pass a `PRUNA_API_KEY` to subagents, but it provides no constraint on scoping, redaction, storage, or trust boundaries for those subagents. In agent-hosted environments, subagents may have separate prompts, logs, tool access, or telemetry, so forwarding a raw API key increases the risk of credential leakage or misuse beyond the minimum necessary execution scope.

External Transmission

Medium
Category
Data Exfiltration
Content
-H 'Model: p-video-animate' \
  -d '{
    "input": {
      "video": "https://api.pruna.ai/v1/files/source-video-abc123",
      "image": "https://api.pruna.ai/v1/files/reference-image-def456",
      "resolution": "720p",
      "target_fps": "original",
Confidence
93% confidence
Finding
https://api.pruna.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{
    "input": {
      "video": "https://api.pruna.ai/v1/files/source-video-abc123",
      "image": "https://api.pruna.ai/v1/files/reference-image-def456",
      "resolution": "720p",
      "target_fps": "original",
      "instruction_prompt": "Animate the reference subject using the motion from the source video."
Confidence
93% confidence
Finding
https://api.pruna.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
-H 'Try-Sync: true' \
  -d '{
    "input": {
      "video": "https://api.pruna.ai/v1/files/source-video-abc123",
      "image": "https://api.pruna.ai/v1/files/reference-image-def456"
    }
  }'
Confidence
91% confidence
Finding
https://api.pruna.ai/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.