Text To Video Editor Free

Security checks across malware telemetry and agentic risk

Overview

This is a cloud text-to-video skill that uses NemoVideo APIs as advertised, with no evidence of hidden local execution or unrelated data access.

Install only if you are comfortable sending prompts, uploaded files, and generated project data to NemoVideo's cloud service. Avoid confidential, regulated, or private documents unless that service is approved for your use, and do not share or print the NEMO_TOKEN.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Low

Confidence: 86% confidence
Finding: The skill requests access to an environment variable and a local config path, which expands its access to local secrets and filesystem metadata beyond what a simple hosted text-to-video workflow appears to require. Even if intended for convenience, unnecessary secret and config discovery increases the risk of credential exposure or over-collection if the skill runtime or surrounding agent is compromised.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The setup flow tells the agent to connect to remote APIs before doing anything else, but it does not clearly warn users at that point that their uploaded documents and prompts will be sent to third-party processing services. For a skill handling TXT, DOCX, PDF, and SRT files, missing upfront disclosure can lead to inadvertent transmission of sensitive content to external infrastructure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal