Text To Video Invideo

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill connects to a disclosed cloud video service to turn user-provided text or files into videos, with no executable install code or hidden local access found.

Install only if you are comfortable sending prompts, selected documents, media, URLs, and project state to the disclosed NemoVideo cloud API for processing. Avoid uploading sensitive material unless you trust that provider, and use a dedicated NEMO_TOKEN if you configure one.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill advertises highly generic activation phrases like 'convert my text prompts' and short fragments such as 'turn this blog post intro into', which are likely to occur in normal conversation. This can cause unintended invocation and automatic connection to the remote API, potentially sending user content to a third-party service without sufficiently explicit user intent.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The routing table includes an 'Everything else' catch-all that sends unmatched input to the SSE generation endpoint. In practice, this means ordinary user text can be treated as a command and forwarded to the backend, increasing the risk of accidental data disclosure, unintended billable actions, or remote operations without clear consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal