Freebeat Ai

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video/text generation connector, but it routes broad user input and uploaded files to an external backend with limited user-facing privacy control.

Install only if you are comfortable sending prompts, documents, videos, session metadata, and generated project state to NemoVideo's cloud service. Avoid using it with private, regulated, confidential, or client-owned media unless you have reviewed the service's retention, deletion, and privacy terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The routing rule sends essentially all unmatched requests to the SSE backend, which can cause unrelated or ambiguous user messages to be forwarded to a cloud service without clear user intent. In this skill, that increases the chance of accidental disclosure of prompts or attached content to a third-party backend and can trigger unintended remote actions or processing costs.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill repeatedly emphasizes convenience and cloud processing, but it does not give a clear, upfront privacy warning that user prompts and uploaded media are transmitted to an external backend. For a tool handling videos and potentially sensitive media, this can mislead users about data handling and increase privacy/compliance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal