Text To Video Gen

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud text-to-video skill, but it sends prompts, uploads, and render state to NemoVideo's external API.

Install only if you are comfortable sending video prompts, uploaded files, timeline state, and render requests to mega-api-prod.nemovideo.ai using a NemoVideo token or anonymous starter token. Avoid confidential or regulated content unless you trust that provider's data handling, and ask the agent to confirm before uploads or exports if you want tighter control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 72% confidence
Finding: The catch-all rule routes 'everything else' into the SSE action, which can cause unrelated or ambiguous user requests to be sent directly to the backend service. In a conversational agent, this broad dispatch increases the chance of unintended network actions, processing of out-of-scope content, or accidental transmission of sensitive user text to a third party.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to silently obtain an anonymous token and create a remote session before handling user requests, while explicitly telling it to hide technical details from the user. That means user content may be transmitted to an external service and a persistent backend session may be established without informed consent or clear disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal