Creaa Ai

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Creaa API helper, with normal privacy and API-key handling considerations for a third-party media-generation service.

Install this only if you are comfortable sending prompts, source images or videos, and task details to Creaa.ai. Keep CREAA_API_KEY secret, do not paste it into chats or commit it to repositories, and avoid submitting personal, confidential, or regulated content unless you have reviewed and accept Creaa's handling policies.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill clearly instructs users to send prompts and image/video inputs to a third-party API, but it does not prominently warn that potentially sensitive user content will leave the local environment and be processed by Creaa. This creates a real privacy and data-handling risk, especially for image edits or uploads that may contain personal or confidential material.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill requires a CREAA_API_KEY and shows it being sent in an Authorization header to an external service, but it does not clearly warn users about protecting the credential or limiting its exposure. While the examples do not directly leak the key, missing guidance increases the chance of unsafe handling, accidental logging, or sharing of credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal