Mango Ai

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-processing integration, but users should know their media is sent to NemoVideo for processing.

Install only if you are comfortable sending the videos, audio, images, or documents you provide to NemoVideo’s remote service for processing. Avoid using it for confidential, regulated, or highly personal media unless you have reviewed the provider’s privacy and retention terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to upload user-provided video clips to a third-party remote API, but it does not present a clear privacy notice, consent prompt, retention disclosure, or warning about transmitting potentially sensitive media off-device. Because videos may contain faces, voices, locations, and confidential content, silent transmission to an external service materially increases privacy and compliance risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal