Best Product Video

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud product-video editing skill, but users should understand that uploaded media and prompts go to NemoVideo's remote service.

Install only if you are comfortable sending product footage, images, URLs, edit prompts, and generated project state to NemoVideo's cloud service. Avoid uploading confidential commercial media unless NemoVideo's terms, retention, and deletion practices are acceptable for your use case, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to upload user-provided media to a third-party cloud API and process it on remote infrastructure, but it does not require a clear, user-facing disclosure or consent step immediately before transmission. This creates a real privacy and data-handling risk, especially because uploaded files may contain sensitive imagery, metadata, or proprietary product content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal