Free Free Text

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud text-to-video connector whose uploads and API calls fit its stated purpose, but users should know their prompts and documents go to NemoVideo.

Install only if you are comfortable sending prompts, documents, session metadata, and rendered video requests to NemoVideo's cloud service. Avoid confidential, regulated, or proprietary files unless you trust that provider, and ask the agent to confirm before uploading files or exporting videos.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill encourages users to upload TXT, DOCX, PDF, and other text files but does not clearly warn that those files and prompts are transmitted to a third-party cloud backend for processing. This creates a meaningful privacy and data-handling risk because users may share sensitive documents under the assumption that processing is local or otherwise not disclosed.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: Hard-coding the session language to English without user consent can cause misprocessing of prompts, incorrect handling of multilingual content, and unintended transmission of transformed or misunderstood user intent to the backend. While not a severe exploit primitive, it can degrade correctness and user control in a way that is security-relevant for sensitive or precise content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal