Video Editing With Mac

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should know their videos and prompts are sent to NemoVideo’s remote service.

Install only if you are comfortable sending selected video files, prompts, edit state, and render jobs to NemoVideo’s cloud service. Avoid uploading confidential screen recordings, private footage, or files with sensitive metadata unless you trust that service’s privacy and retention practices; use your own NEMO_TOKEN if you want clearer account control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to automatically connect to a third-party backend and obtain a token on first open, before clearly informing the user that network requests will occur. This can cause silent transmission of metadata and external account/session creation without meaningful consent, which is especially sensitive in an agent environment.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill encourages users to drop raw video footage into chat while only later mentioning that editing runs on cloud GPUs, so users may upload potentially sensitive recordings without an upfront, prominent disclosure that files are processed remotely. Video files often contain personal, confidential, or embedded metadata, making undisclosed cloud transfer a meaningful privacy risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal