Video Editing With Fast

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that sends user-selected media and editing prompts to NemoVideo, with privacy caveats but no evidence of hidden or malicious behavior.

Install only if you are comfortable sending selected videos, images, audio, URLs, and edit prompts to NemoVideo cloud servers. Avoid confidential footage unless you trust that provider, and use a dedicated NEMO_TOKEN where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The manifest and top-level description say the skill accepts only common video formats up to 500MB, but later documentation expands supported inputs to image and audio formats as well. This mismatch can mislead users and reviewers about what data may be uploaded to the backend, weakening informed consent and policy enforcement around data types.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill routes user media to a third-party cloud backend for processing, but the initial description and onboarding prompt do not prominently warn users that their uploaded videos leave the local environment. For media files, this creates privacy and compliance risk because users may upload sensitive recordings without clear notice about remote transfer and processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal