Video Lesson

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-processing skill that clearly centers on sending user-provided media to NemoVideo for rendering, with privacy considerations but no evidence of hidden or destructive behavior.

Install only if you are comfortable sending selected recordings, images, audio, URLs, prompts, and render metadata to NemoVideo cloud services. Avoid confidential or regulated recordings unless NemoVideo's privacy, retention, and compliance terms meet your needs, and treat NEMO_TOKEN as a service credential.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill advertises itself as handling only raw video uploads up to 500MB, but the documented backend accepts many additional media types and URL-based ingestion. This mismatch expands the effective attack surface and can lead to unexpected remote fetching, processing of unsupported content, or user data being sent to third-party URLs without a clear trust boundary.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to automatically connect to a cloud backend, obtain tokens, create sessions, and upload user video and prompts, but the user-facing description does not clearly warn that their content is transmitted off-device. For a skill handling potentially sensitive recordings, this omission undermines informed consent and increases privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal