Ai Image In Video

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that sends user-selected media to NemoVideo, which is expected for its purpose but should be used only with media the user is comfortable uploading.

Install only if you are comfortable sending selected media, prompts, and render jobs to nemovideo.ai. Avoid confidential footage unless you trust that provider, keep NEMO_TOKEN private, and ask the agent to confirm before uploads or exports if you want stricter control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to establish a backend connection and upload user media, including obtaining an anonymous token and creating a remote session, without requiring an explicit user-facing notice or consent for data transfer. Because users may provide private images and videos, silently transmitting them to a third-party cloud service creates a meaningful privacy and data-handling risk.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The export workflow states that cloud GPU jobs are queued remotely and that session tokens carry render job IDs, but it does not direct the agent to clearly warn users about remote processing, persistence, or orphaned job state before export. This is a real transparency/privacy issue, though lower severity because it is adjacent to an already-remote editing workflow rather than a hidden new capability.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal