Editorjs Highlight

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-highlighting skill, with the main user risk being that media, prompts, and optional URLs are sent to NemoVideo for processing.

Install this only if you are comfortable using NemoVideo’s cloud backend. Do not upload confidential or regulated videos, and only provide remote URLs that you intentionally want the service to fetch and process. Treat NEMO_TOKEN as a temporary service credential.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The upload workflow allows ingestion from arbitrary remote URLs, which materially expands the trust boundary beyond user-supplied local media. This can enable the skill to fetch attacker-controlled or internal-network resources, creating SSRF-style risk, unexpected data transfer, and content sourcing the user may not realize is permitted because the manifest only advertises file uploads.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal