Animation Ai

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-animation connector whose network use and media uploads match its stated purpose, but users should treat uploaded prompts and files as being sent to NemoVideo’s service.

Install only if you are comfortable sending selected images, videos, media URLs, prompts, and session metadata to NemoVideo’s cloud backend. Avoid confidential or proprietary media unless you trust that provider’s privacy and retention practices, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The catch-all rule routes 'Everything else' to SSE generation, which can cause unintended backend actions for ordinary conversation or ambiguous prompts. In this skill, unintended routing is more dangerous because it can automatically send user prompts to a remote service and potentially start billable or privacy-sensitive processing without clear user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly performs automatic backend connection, anonymous token acquisition, session creation, and later media upload, but it does not clearly warn users that their prompts and files will be transmitted to a third-party cloud service. This creates a real privacy and consent issue, especially because the skill handles user-supplied images and videos up to 500MB and initiates network setup automatically on first open.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal