Luma Ai

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal Luma API helper, with the main caveat that its examples send prompts and an API token to Luma.

Install if you are comfortable using Luma as an external service. Avoid putting real API keys directly in copied code, use environment variables or a secrets manager, and do not send sensitive prompts or media unless you accept Luma's data handling terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill includes concrete sample code that sends user prompts and a bearer token to a third-party API, but it does not warn users that their content and credentials will be transmitted off-platform. In an agent skill context, this can lead to unintentional disclosure of sensitive prompts, generated media metadata, or API secrets if users copy the pattern without understanding the privacy and security implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal