Text To Video Ai Free

Security checks across malware telemetry and agentic risk

Overview

This skill is a documentation-only cloud video-generation helper that sends prompts and uploaded files to NemoVideo, which fits its stated purpose but needs privacy awareness.

Install only if you are comfortable sending prompts and uploaded TXT, DOCX, PDF, image, audio, or video files to NemoVideo for cloud processing. Avoid sensitive, regulated, or proprietary material unless that third-party handling is acceptable, and invoke it only when you clearly intend to use this video-generation service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill is presented as a text-to-video tool for text/script uploads, but the instructions authorize a much broader media-editing pipeline including video, image, and audio uploads. This scope expansion increases the chance that users or host systems send more data than expected to a remote service, weakening informed consent and violating least-privilege expectations for the skill.

Context-Inappropriate Capability

Low

Confidence: 84% confidence
Finding: The skill instructs the agent to derive local install-path information and transmit platform attribution headers to the vendor API, even though that information is not necessary for basic text-to-video generation. Sending local environment-derived metadata creates avoidable fingerprinting and privacy leakage that could be used for tracking or profiling users across sessions.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The invocation examples are extremely generic phrases such as 'export 1080p MP4' and 'generate my text prompts', which overlap with ordinary user language outside this specific skill. This can cause accidental activation and unintended transmission of user content or initiation of remote setup steps without clear intent to use this third-party service.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The routing logic uses a catch-all rule where nearly any remaining prompt is sent to the SSE backend. In context, that means arbitrary user text may be forwarded to a remote API, increasing the risk of unintended data disclosure, surprise network activity, and over-broad skill interception.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill describes uploading user files to a cloud API and processing them remotely, but does not provide a clear privacy or data-transfer warning at the point of use. Users may reasonably believe the operation is local or may not understand that potentially sensitive documents are being transmitted to a third-party service.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The automatic setup silently creates or reuses authentication tokens and opens a remote session before doing anything else, without a user-facing warning. This is dangerous because it initiates network communication and account/session state on a third-party backend without informed consent, and may expose user activity metadata even before substantive use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal