Short Video

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should expect media and prompts to be sent to NemoVideo’s remote service.

Install only if you are comfortable sending selected video, audio, images, prompts, and edit-session metadata to NemoVideo’s cloud service. Use non-sensitive media first, and prefer a dedicated NEMO_TOKEN if you configure one.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger phrases are broad enough that ordinary conversation like 'export' or 'create my raw footage' could invoke the skill unintentionally. In this skill, accidental activation is more concerning because activation initiates network authentication and remote session setup, which can transmit identifiers and start cloud-side processing without a clear, specific user opt-in.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The catch-all routing rule means nearly any editing-related utterance falls into the SSE path, creating an ambiguous activation boundary. Because the SSE route can drive remote actions and backend-directed workflow steps, an overly broad matcher increases the risk of unintended service invocation, data transmission, and confusing cross-skill behavior.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to perform automatic authentication and create a remote session before doing anything else, including generating anonymous tokens when no credential is present. This is dangerous because it causes network access, identifier generation, and account/session establishment before the user has clearly consented to external data transfer, which is especially sensitive in a media-upload skill handling potentially private video content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal