Free Nemo Video

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud video-editing skill, but it should be reviewed because it can automatically connect to NemoVideo, use or obtain a token, and send prompts or media with limited upfront user consent.

Install only if you intentionally want NemoVideo cloud processing. Avoid confidential, private, client, or regulated media unless you trust the provider's privacy and retention practices, and treat NEMO_TOKEN as a sensitive credential.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill uses very broad activation phrases like "edit my video clips" and a generic startup prompt inviting users to just share clips or ideas, which can cause unintended invocation during ordinary conversation. In an agent context, accidental routing can trigger backend connection setup and subsequent file-handling flows without the user clearly intending to use this third-party service.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs uploading local video files or remote URLs to a cloud backend and even encourages users to "share your video clips" without a clear, user-facing disclosure that media will be transmitted to an external service. Because videos often contain sensitive visual, audio, metadata, or location information, lack of explicit notice and consent creates a meaningful privacy and data-exfiltration risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal