Text To Ai Video

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill is not clearly malicious, but it can automatically connect to NemoVideo and forward broad or ambiguous prompts to a remote backend.

Install only if you are comfortable sending video files, images, audio, URLs, prompts, and project state to NemoVideo. Use it for explicit video-generation or editing requests, avoid private media unless you trust the provider, and confirm before uploads, exports, or ambiguous edits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The routing guidance says prompts about text-to-video, aspect ratio, text overlays, or audio tracks should be routed by keyword and intent classification, which is broad enough to capture unrelated user requests that merely mention overlapping terms. This can cause unintended invocation of the skill and accidental transmission of user content to the external Nemo backend without sufficiently clear user intent.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The catch-all rule sends 'Everything else' to the SSE action, meaning any unmatched prompt may be forwarded to the remote service. This is risky because broad fallback routing can exfiltrate unrelated user input, trigger unintended paid or stateful operations, and reduce user control over when third-party processing occurs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal