Highlight Editor Video

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that sends uploaded footage and prompts to NemoVideo, which fits its stated purpose but requires privacy awareness.

Install only if you are comfortable sending uploaded footage, editing prompts, and related job metadata to NemoVideo for cloud processing. Avoid sensitive, regulated, confidential, or copyrighted footage unless you have reviewed the provider's privacy, retention, and billing terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The routing table sends all unmatched prompts to the SSE editing path, which can cause unrelated user input to trigger remote editing/API actions by default. In a skill that uploads media and invokes paid third-party cloud processing, this broad catch-all increases the chance of unintended processing, surprise data transfer, and accidental credit consumption.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill encourages users to drop raw video footage into chat but does not present a clear up-front warning that media is sent to a third-party cloud service for processing. Because uploaded videos may contain sensitive personal, biometric, or copyrighted content, this omission undermines informed consent and can lead to privacy and compliance issues.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal