Ai Video Editor Eraser

Security checks across malware telemetry and agentic risk

Overview

This is a real remote video-editing skill, but it sends user media to a third-party backend with weak disclosure and routes overly broad requests beyond simple object erasing.

Review before installing. Only use this with videos and prompts you are comfortable sending to NemoVideo's remote service, and avoid private, regulated, client, or copyrighted media unless you trust the provider's handling. Do not use watermark-removal features unless you own the content or have explicit permission.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The catch-all rule routes 'everything else' to the SSE editing backend, which can cause the skill to activate on vague or unrelated user requests. In a skill that uploads media and drives remote editing operations, overbroad invocation increases the chance of unintended data handling, surprise external requests, and actions outside the user's informed expectations.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to establish a backend connection and upload user video data to a remote service without an explicit user-facing notice about external transmission, retention, or processing. Because videos may contain faces, voices, locations, documents, or copyrighted material, silent transfer to a third-party backend creates significant privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal