Video Joypix

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-rendering skill, but users should understand that prompts and uploaded media are sent to a remote NemoVideo service.

Install only if you are comfortable sending prompts and uploaded photos, videos, audio, or brand assets to NemoVideo's remote cloud API. Avoid sensitive media unless you trust that provider's retention and privacy practices, and review token/session behavior if you need strict data-control guarantees.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The routing table sends essentially all unmatched prompts to the SSE generation action, which can cause ordinary user requests to be forwarded to the remote backend without sufficiently explicit intent. In this skill, that increases the chance of accidental cloud transmission of prompts and files, unexpected API use, and user confusion about when remote processing is invoked.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to connect to external APIs and upload user content to a cloud rendering pipeline, but the user-facing description does not clearly warn that prompts, files, and session data are sent to a third-party remote service. This creates a privacy and consent risk, especially because users may share personal photos, videos, audio, or branded assets assuming local handling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal