Thread Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only cloud video editing integration that clearly centers on sending user-selected media to NemoVideo for remote rendering.

Install only if you are comfortable using NemoVideo for cloud processing. Avoid uploading private, confidential, or regulated footage unless you have reviewed the service's terms and retention practices, and ask the agent to confirm before uploads or exports if you want tighter control over API calls and credit use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The onboarding text and trigger examples are broad enough that ordinary phrases like "export," "download," or simply sharing footage could activate the skill unexpectedly. In a skill that uploads user media and acquires tokens automatically, unintended activation can cause privacy-impacting remote transfers and external API calls without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill encourages users to send video footage but does not present a prominent, up-front warning that uploaded media is transmitted to third-party remote GPU infrastructure for processing. Because the content may include sensitive or personal media, this omission undermines informed consent and increases the risk of accidental disclosure to an external service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal