Back to skill

Security audit

pruna-run

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Pruna image/video generation router that uses expected API calls and local output manifests, with no hidden code or deceptive behavior found.

Install only if you are comfortable giving the agent access to your Pruna API key for generation requests and with prompts, generated output URLs, and reproducibility metadata being saved locally in a manifest. Review paid-call approvals before video or avatar generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Ssd 3

Medium
Confidence
74% confidence
Finding
The instruction to state and log ritual seeds, chosen axes, and prediction IDs in the turn text or manifest can unnecessarily persist request-linked metadata beyond immediate execution. In a user-facing or shared logging environment, this may leak internal generation details, reproducibility inputs, or user-associated context that is not needed to satisfy a quick single-shot request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.