Maker Hindi

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-making skill, but users should invoke it deliberately because its routing language is broad.

Install only if you are comfortable sending selected video, image, and audio files to NemoVideo for cloud processing. Use explicit Maker Hindi requests and confirm before uploads, exports, or actions that may consume credits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill advertises very broad trigger phrases like "create my video clips or images" and generic export wording, which increases the chance it activates during ordinary conversation rather than through an explicit, narrowly scoped invocation. Because this skill can initiate authentication, create backend sessions, and process user media, accidental routing could cause unintended network actions or media uploads without clear user intent.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The routing table includes a catch-all rule sending "Everything else" to the SSE action, effectively treating many unrelated prompts as commands for a remote backend. This creates an overly permissive trigger surface where ambiguous user input can initiate external requests, backend editing actions, or session-bound operations without sufficient intent validation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal