Joyfun Ai Text To Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud text-to-video integration, but users should treat anything they upload or type for video generation as being sent to the Joyfun/NemoVideo service.

Install only if you are comfortable sending prompts, URLs, documents, or media you choose to use with the skill to Joyfun/NemoVideo cloud services. Avoid confidential, regulated, or sensitive files unless you accept that provider's data practices, and keep any NEMO_TOKEN out of logs or shared chats.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The routing table sends all unmatched prompts to the generation/SSE path, which can cause unintended outbound API calls and processing for vague or unrelated user input. In a skill that uploads content and creates remote sessions automatically, this broad trigger increases the chance of over-collection, surprise network transmission, and accidental use of paid or stateful backend operations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to automatically generate an anonymous token and create a remote session before doing anything else, but does not require a user-facing notice or consent before transmitting data to a third-party service. This is dangerous because user prompts and uploaded files may be sent off-platform without clear disclosure, creating privacy, compliance, and trust risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal