Video Generator Freepik

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-generation helper, but users should understand that prompts and uploaded media go to an external NemoVideo backend.

Install only if you are comfortable sending the images, URLs, prompts, and related session metadata you use with this skill to NemoVideo's cloud service. Avoid confidential client assets or private media unless you have verified the service's privacy and retention terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The routing rules are broad enough to match generic video-editing requests such as upload, export, status, and generate, which can cause the skill to activate outside its stated Freepik-specific scope. That increases the chance of unintended cloud processing of user prompts or files and can mislead users about which backend is receiving their data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs automatic token acquisition, session creation, and cloud backend use, but does not clearly warn users that uploaded files, prompts, and related metadata will be transmitted to a remote service. This creates a privacy and consent risk, especially because setup is framed as automatic on first use and may occur before the user understands where content is sent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal