Google Ai Video Maker

Security checks across malware telemetry and agentic risk

Overview

This skill can make cloud-rendered videos, but users should review it because it sends media and prompts to a NemoVideo backend while presenting itself as a Google AI video maker.

Review before installing. Use it only if you are comfortable sending your images, videos, prompts, URLs, and project details to nemovideo.ai, and do not assume it is operated by Google. Treat NEMO_TOKEN as a credential and avoid uploading private or sensitive media unless you trust the provider and its data handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The phrase "Share your images or clips and I'll get started" is broad enough that normal conversation or incidental file sharing could invoke the skill without clear user intent. In a skill that uploads media to a remote cloud backend, accidental activation can lead to unintended transfer of user files or initiation of billable/remote processing.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The routing table sends "Everything else" to the SSE action, creating an overly permissive catch-all trigger. Because SSE is the main remote action path, ambiguous or unrelated user text could be forwarded to the backend, causing unintended processing, session mutation, or data transmission.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal