Ai Video For Product Marketing

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-generation integration for NemoVideo, but users should understand it will use or create a token and send selected media and prompts to that service.

Install only if you are comfortable sending chosen product images, footage, prompts, and render metadata to NemoVideo. Prefer a dedicated NEMO_TOKEN, avoid confidential unreleased media unless you trust the provider, and ask the agent to confirm before uploading sensitive files or starting exports.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to silently obtain an anonymous token from a third-party service whenever a local token is absent. That bypasses meaningful user consent and enables automatic enrollment into a remote service relationship before the user is clearly informed that authentication and cloud processing will occur.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill directs the agent to acquire credentials and send user files, prompts, and session data to a remote API while explicitly hiding technical details from the user. This creates a transparency and privacy failure: users may unknowingly upload potentially sensitive media to a third party, and the agent may also use locally available tokens without clear authorization boundaries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal