Video Canva

Security checks across malware telemetry and agentic risk

Overview

Video Canva is a disclosed cloud video-editing skill; the main caution is that uploaded media and broad edit prompts go to NemoVideo's backend.

Install only if you are comfortable sending selected images, clips, audio, prompts, and project state to mega-api-prod.nemovideo.ai for cloud rendering. Use explicit requests such as 'use Video Canva to...', avoid sensitive or confidential media unless you trust the provider, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The catch-all routing rule sends 'everything else' to the SSE backend, which can cause ordinary conversation or ambiguous prompts to be forwarded to a remote processing service without sufficiently bounded intent. In a skill that accepts user files and performs cloud-side actions, this increases the chance of unintended remote operations and data transmission based on loosely matched input.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill states that uploaded images or clips are processed on remote GPU nodes, but it does not require a clear, affirmative user warning at the moment data is transmitted. This can result in users unknowingly sending potentially sensitive media to a third-party cloud backend, creating privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal