Ai Video Editor Hd

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that sends user-selected media and prompts to NemoVideo for processing, with the main risk being privacy and account-credit handling rather than hidden or destructive behavior.

Install only if you are comfortable sending selected videos, images, audio, URLs, and editing prompts to NemoVideo's cloud service. Avoid confidential, private, rights-sensitive, or consent-sensitive footage unless you trust the provider's data handling, and pay attention to credit, registration, bind-link, and subscription prompts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill is presented as a simple video-editing tool, but its documented behavior includes token acquisition, session/account provisioning, credit checks, and registration/subscription flows. This expands the operational scope into account and billing handling without making that clear up front, which can mislead users and cause them to share data or trigger account-linked actions they did not reasonably expect.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The manifest advertises support for a limited set of video formats, but the documented backend accepts additional image and audio formats. This discrepancy can cause users to unknowingly upload non-video media to the cloud service, broadening the data types collected and processed beyond the stated scope.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to relay a registration URL containing a bind identifier when credits are exhausted, which turns the agent into an onboarding/referral conduit for an external service. That creates a risk of unexpected account linking, user tracking, or phishing-like behavior because the user may not understand why they are being redirected or what the bind token associates with their session.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The catch-all routing rule sends essentially any unmatched request into the editing/SSE workflow, making it easy for unrelated prompts to trigger transmission of user input to the external backend. In context, this is risky because the backend is cloud-hosted and the skill does not narrowly gate what content is appropriate to send, increasing the chance of accidental data disclosure or unintended operations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill asks users to send raw video footage and prompts to a cloud processing backend, but the description does not clearly warn that media and instructions are transmitted off-device to a third-party service. Because raw videos often contain faces, voices, locations, and other sensitive information, the lack of prominent disclosure meaningfully increases privacy and consent risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal