Video Making Free Course

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill that sends user-selected media and prompts to NemoVideo for rendering, with no evidence of hidden code, destructive behavior, or unrelated data access.

Install only if you are comfortable sending selected videos, audio, images, URLs, and editing prompts to NemoVideo's cloud backend. Protect the NEMO_TOKEN, avoid confidential or regulated media unless you trust that provider, and confirm ambiguous requests before uploading files or starting exports.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The suggested invocation phrases are extremely generic, such as 'create my video clips' and 'export 1080p MP4', which can overlap with ordinary user requests in broader assistant contexts. This increases the chance of unintended skill activation and silent routing of user content or files to the external video backend without sufficiently explicit intent.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The routing table ends with a catch-all rule that sends 'Everything else' to the SSE backend, effectively treating most unmatched prompts as commands for this skill. In a multimodal assistant that can receive arbitrary text and files, this broad dispatch can cause accidental exfiltration of user prompts or media to a third-party service and invoke external actions the user did not clearly request.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal