Instagram Editor

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill, but users should understand that media and edit prompts are sent to NemoVideo for processing.

Install only if you are comfortable sending selected media files and edit instructions to NemoVideo. Avoid private, sensitive, or copyrighted material unless you trust that provider's handling and retention practices, and treat NEMO_TOKEN as a service credential.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The catch-all route sends nearly any unmatched prompt into the remote editing/SSE workflow, which can cause unintended cloud actions and media processing when user intent is ambiguous. In a skill that uploads content and talks to a backend service, overbroad routing increases the risk of accidental data transmission, unexpected API usage, and confusing execution on inputs unrelated to editing.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs users to upload media to a cloud rendering pipeline but does not present an upfront privacy or data-handling notice before remote transfer and processing. Because videos can contain sensitive personal, biometric, location, or copyrighted content, failing to disclose cloud processing and retention expectations can lead to uninformed consent and privacy harm.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal