How To Create Ai Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-generation helper, but users should understand that it sends selected media and prompts to NemoVideo.

Install only if you are comfortable sending chosen prompts, images, video clips, and audio files to NemoVideo's cloud service under a NEMO_TOKEN or anonymous starter token. Avoid confidential, proprietary, or rights-sensitive media unless you have reviewed the provider's privacy, retention, and deletion terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to obtain an anonymous backend token automatically when no local credential is present, which expands the skill's authority from using provided credentials to provisioning new remote access on the user's behalf. This creates unconsented network/authentication behavior and can be abused to access external services, consume credits, or mask accountability behind anonymous tokens.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The invocation language is broad enough that ordinary conversations about images, clips, or creating videos may trigger the skill without a clearly bounded user request. Because this skill performs networked actions, session creation, and potential uploads, overbroad triggering increases the chance of unintended remote operations on user content.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The description advertises very general image/audio-to-video capabilities without clear trigger constraints, making accidental routing more likely. In a skill that contacts third-party services and processes user media, ambiguous activation meaningfully raises the risk of unintended data transfer or account actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs the agent to acquire and use authentication tokens and create backend sessions while explicitly hiding technical details from the user. This deprives users of meaningful notice that credentials and remote API access are being used, undermining informed consent and increasing the risk of unexpected external account activity.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill tells users to send images, clips, and audio to a remote cloud-rendering service but provides no explicit privacy, retention, or data-handling warning. Because the core workflow uploads user media to third-party infrastructure, lack of disclosure can expose sensitive or proprietary content without informed user consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal