Ai Video Maker Effects Videa

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill that sends user media and prompts to a remote rendering service as part of its stated purpose.

Install only if you are comfortable sending uploaded video, audio, images, prompts, and related metadata to nemovideo.ai for cloud processing. Avoid sensitive media, use a scoped token if providing NEMO_TOKEN, and expect the skill to create a remote session or anonymous starter token when used.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The catch-all routing sends nearly any unmatched prompt into the remote editing workflow, increasing the chance that ambiguous or unintended user input triggers backend processing and data transmission. In a skill that uploads media and issues server-side edit requests, broad intent matching can cause actions beyond what the user clearly authorized.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to automatically obtain tokens and connect to a remote backend before handling requests, while explicitly hiding technical details from the user. That means user prompts and uploaded media may be transmitted off-platform without clear notice or consent, which is a meaningful privacy and trust risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal