Video Editing Ai Android

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill that sends user-provided media and prompts to NemoVideo for remote processing, with no hidden executable code found.

Install only if you are comfortable sending selected media and editing prompts to NemoVideo’s cloud API. Use a dedicated token if possible, do not paste tokens into chat, and confirm exports or credit-consuming actions when cost or privacy matters.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The example trigger phrases are overly broad and include generic commands like "edit my raw video footage" and an incomplete phrase fragment. In environments where skills are selected or invoked by prompt matching, this can cause unintended activation on unrelated user requests, potentially leading to unexpected network calls, session creation, token issuance, or uploads to a third-party service.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The routing table contains a catch-all rule that sends "Everything else" to the SSE edit path, effectively treating most unmatched input as an instruction to the remote backend. This makes accidental invocation much more likely and increases the attack surface, because arbitrary user text may be forwarded to an external API with an authenticated session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal