Ai Video Generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: generate videos through named third-party AI video providers using user-supplied prompts, optional images, and API keys.

Install this only if you intend to use Luma, Runway, or Kling accounts for video generation. Prefer environment variables over passing API keys on the command line, expect provider quota or billing usage, and avoid submitting confidential prompts or private images unless you accept the selected provider's data-handling terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares no permissions, but its documented behavior clearly requires environment-variable access for API keys and network access to third-party video generation services. This mismatch can mislead reviewers and users about the skill's capabilities, reducing informed consent and weakening sandbox or policy enforcement expectations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation tells users to send prompts, optional input images, and authenticated API requests to Luma, Runway, and Kling, but does not warn that this data leaves the local environment and is processed by third parties. This creates a privacy and data-handling risk because users may unknowingly submit sensitive text, images, or account-linked requests to external services.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal