Yummy Gen Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly scoped helper for generating Google Veo videos through an external CLI, with no artifact-backed signs of hidden or destructive behavior.

Install only if you are comfortable installing @yummysource/yummycli, using a GEMINI_API_KEY, and sending prompts or selected image files to Google Veo for cloud video generation. Avoid confidential prompts or private images unless you intentionally want that provider to process them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to send user prompts and local image files to Google/Gemini via `yummycli gemini veo`, but it does not warn the user that their text and uploaded local media will leave the local environment and be transmitted to a third-party service. This creates a privacy and data-handling risk, especially if users provide sensitive prompts or images assuming processing is local.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal