Back to skill

Security audit

RunAPI MCP Server

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward RunAPI media-generation helper with disclosed external task submission and no hidden install or persistence behavior.

Install this if you want your agent to use RunAPI for generated images, video, music, audio, speech, and task polling. Be aware that requests may be sent to RunAPI, generated output URLs may be temporary, and some task creation can incur provider costs; confirm ambiguous or expensive media requests before proceeding.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest trigger phrases are broad enough to match common user requests like generating images, video, audio, or checking a task, which can cause the skill to activate in situations where a more specific or safer skill should handle the request. Over-broad routing increases the chance of unintended tool use, unnecessary external task submission, and reduced user transparency about when third-party media generation services are being invoked.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.