Editor Fixed

Security checks across malware telemetry and agentic risk

Overview

This appears to be a cloud video rendering skill whose uploads and token use fit its purpose, but users should understand that their media leaves the device.

Install only if you are comfortable sending selected videos, prompts, and render metadata to the cloud rendering provider. Avoid confidential, personal, biometric, unreleased, or rights-sensitive media unless you trust the provider's retention and privacy terms, and prefer a limited-use or anonymous token where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to automatically use environment credentials or acquire anonymous tokens and initiate network sessions without explicit user consent or clear disclosure. This creates a security and privacy risk because the agent may transmit identifiers and authenticate to third-party services on the user's behalf, potentially exposing account usage, metadata, and service interactions unexpectedly.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill directs users to upload video files to a cloud rendering pipeline and describes backend processing, but it provides no explicit privacy, retention, or data-handling notice. Because user videos may contain sensitive personal, commercial, or biometric information, silent third-party upload and processing materially increases confidentiality and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal