Ai Ugc Video Editor Job

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-editing workflow that uses a NemoVideo backend and token to create Japanese-style MP4 exports.

Install only if you are comfortable sending video files, audio/images, prompts, and edit requests to the NemoVideo cloud service. Use a dedicated token if available, avoid uploading private or regulated media, and treat the broad edit-message routing as something to use only during an intentional video-editing session.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The suggested invocation text is very broad and generic, including phrases like "export 1080p MP4" and "trim silences, add captions, and cut" that could plausibly appear in unrelated conversations. This increases the chance the skill activates unintentionally and begins network-backed setup, token acquisition, or session creation without the user explicitly intending to use this specific video-editing skill.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The routing rule sends essentially all unmatched input to the SSE editing backend via the "Everything else" catch-all. In practice, this can forward arbitrary user text to an external service, causing unintended processing, session state changes, or data disclosure when the user did not clearly request video-editing operations.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal