Security audit

Max Studio Api

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Max Studio API wrapper that sends user-provided API keys, Google access tokens, prompts, and media URLs to the documented service.

Install only if you trust Max Studio with your API key, Google access token, prompts, and any media URLs you submit. Prefer short-lived tokens, avoid putting secrets in chat logs or shell history, do not provide private/internal or secret-bearing URLs, and choose download paths carefully.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation instructs integrators to obtain and transmit an API key and later requires Google access tokens (`jwt`) and media URLs, but it does not include any privacy or credential-handling warning. In an agent skill context, this increases the chance that users paste long-lived secrets or sensitive media links into prompts or logs, where they may be retained, exposed to the model, or mishandled by downstream tooling.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.