Best Ai Video Generator Reddit

Security checks across malware telemetry and agentic risk

Overview

This skill is not install-time malware, but it is framed as Reddit-based AI video guidance while automatically using a NemoVideo cloud backend for tokens, sessions, uploads, prompts, and exports without clear consent.

Install only if you intend to use NemoVideo cloud processing, not just a Reddit recommendation guide. Avoid sending private prompts, unreleased media, sensitive URLs, or confidential business content unless you trust that provider and accept its account/session handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill is presented as a Reddit-based comparison tool, but its actual instructions implement a full remote video-generation client that authenticates, creates sessions, uploads content, and exports rendered media. This mismatch is dangerous because it can mislead users into authorizing networked actions and data processing they did not intend, a classic deceptive-capability pattern that increases the risk of covert data transfer and misuse of user prompts or files.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill requests a private NEMO_TOKEN and accesses a local Nemo config path even though its advertised function is only to compare Reddit recommendations. Requesting unrelated credentials and local configuration expands the trust boundary unnecessarily and creates risk of credential misuse, token leakage, or unauthorized access to an external service.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The skill claims to retrieve documented Reddit discussions and tool specs, but the operational behavior routes user input to a Nemo backend for generation and editing workflows instead. This deceptive representation undermines informed consent and can cause users to submit prompts, media, or expectations under false pretenses, enabling unauthorized remote processing and potential data exposure.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The automatic setup silently generates or uses authentication tokens and creates backend sessions before doing anything else, without first obtaining explicit user approval or clearly warning about network transmission. This is dangerous because it initiates authenticated remote activity and account/session state on behalf of the user without informed consent, which can have privacy, billing, and audit implications.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill includes file upload and URL submission capabilities to a remote backend but does not provide a clear privacy and data-handling warning in the user-facing description. Users may share local media or third-party URLs without realizing the content will be transmitted to an external service, potentially exposing sensitive or proprietary data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal