Media.io Vidu Video Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Media.io video-generation wrapper, with the main caution that it sends prompts, image URLs, and an API key to Media.io and may use account credits.

Install this if you intend to use Media.io Vidu through its API. Use a revocable Media.io API key if possible, expect generation requests to consume credits, and only provide public, non-sensitive image URLs and prompts that you are comfortable sending to Media.io. VirusTotal was pending, while the available static scan and artifact review did not show malicious behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation instructs users to provide an external image URL for server-side fetching, but does not warn about the security implications of fetching user-supplied remote content. This can enable SSRF-like abuse against the upstream service, unintended transmission of private URLs, or ingestion of malicious/untrusted content if callers pass internal or sensitive endpoints.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal