Editor Instagram

Security checks across malware telemetry and agentic risk

Overview

This skill is a remote Instagram video-editing helper that clearly sends media to a cloud rendering service, with no installer or hidden local code.

Install only if you are comfortable sending videos, images, audio, and edit prompts to the nemovideo remote service for processing. Avoid confidential or highly personal footage unless you have reviewed the provider's privacy, retention, deletion, and billing terms, and treat NEMO_TOKEN or generated anonymous tokens like account credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to automatically authenticate to a third-party service, create a session, and upload/process user media remotely without an explicit user consent or clear privacy notice at the point of transfer. Because the workflow uses environment credentials or anonymously mints tokens and immediately connects before 'doing anything else,' users may not realize their files and prompts are being transmitted off-platform to an external processor.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal