Audio Editor Online

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud audio/video editing skill that uploads selected media to NemoVideo for processing, with no evidence of hidden or malicious behavior.

Install only if you are comfortable sending selected audio/video files, URLs, edit prompts, and related metadata to NemoVideo's cloud service. Keep NEMO_TOKEN private and avoid confidential recordings unless the provider's privacy and retention terms fit your needs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The routing table includes an 'Everything else' rule that sends broadly defined requests to the SSE action, making the skill likely to activate on loosely related prompts. In a skill that uploads files and communicates with a remote backend, overly broad invocation increases the chance of accidental data disclosure, unintended remote processing, or user confusion about what service is handling their request.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill does send user media to a third-party cloud backend, but the user-facing setup and description do not prominently warn that uploaded audio/video leaves the local environment. This creates a privacy and consent risk, especially for sensitive recordings, because users may reasonably believe the editing is local or not appreciate the extent of remote processing.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal