Fanqie Ai Video

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill, but users should know it contacts nemovideo.ai and sends selected media there for processing.

Install only if you are comfortable using a third-party cloud video service. Avoid uploading sensitive, regulated, confidential, or private footage unless you trust nemovideo.ai's handling, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation guidance is broad enough that ordinary conversation like sharing footage or describing what the user is thinking could trigger the skill unexpectedly. In this skill, unintended activation is more concerning because activation leads directly into network-backed processing and possible authentication/session creation, which can cause unanticipated external data transmission.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to automatically connect to a remote backend, generate a client identifier, obtain an anonymous token, and create a session without a clear prior user-facing disclosure or consent step. This is dangerous because it can silently initiate network activity and authentication flows, and may transmit metadata or user content to a third party before the user understands that an external service is being contacted.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal