Jianying Editor

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-editing workflow, but users should know their uploaded media and edit prompts are sent to Nemovideo's API.

Install this only if you are comfortable sending videos, edit prompts, and related metadata to Nemovideo's cloud service. Avoid uploading sensitive, private, or copyrighted footage unless you trust the provider's data handling and retention practices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The routing table sends all unmatched requests to the SSE editing path, which can cause ambiguous or unintended user inputs to trigger cloud-side editing actions. In a skill that uploads and transforms user media through remote APIs, overly broad intent matching increases the chance of accidental processing, unexpected external data transmission, or user confusion about what action will occur.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to upload raw user video footage to a third-party cloud API and obtain tokens automatically, but it does not clearly disclose that user media and related metadata will leave the local environment. Because videos can contain faces, voices, locations, and other sensitive information, failing to present an upfront transmission/privacy notice creates a real privacy and consent risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal