How To Add Music To Video Online

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-editing helper that sends selected media and edit prompts to NemoVideo for rendering, with privacy and consent points users should notice.

Install only if you are comfortable sending video, audio, file URLs, and edit prompts to mega-api-prod.nemovideo.ai for cloud processing. Avoid sensitive personal or proprietary media unless you trust that service's privacy and retention practices, and set your own NEMO_TOKEN if you do not want anonymous token creation during setup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: Routing nearly all unmatched requests to the SSE backend creates an overly permissive command surface and weak intent boundaries. In practice, this can cause the skill to forward unrelated or unexpectedly sensitive user input to a remote editing service, enabling unintended actions and increasing the chance of prompt/command abuse against the backend.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill automatically initiates network authentication and session creation on first open, including generating a client identifier and requesting a token, without clear prior user consent. This is risky because it causes external communication and account/session creation before the user meaningfully opts in, which can surprise users and expose metadata to a third-party service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal