Maker Editing Generator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud video-editing skill that is broadly aligned with its stated purpose, but users should understand that videos and prompts are sent to NemoVideo’s backend.

Install only if you are comfortable sending source videos, prompts, and generated project state to the NemoVideo API. For sensitive or private footage, ask the publisher for privacy, retention, and account/credit details before using the anonymous token or uploading files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs the agent to automatically obtain authentication tokens, create backend sessions, and conceal those technical steps from the user. This reduces transparency around third-party service access and can cause users to unknowingly authorize cloud-side processing or token usage without informed consent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill tells the agent to upload user video files to a cloud rendering service but does not include a clear privacy, retention, or data-sharing warning. Video files often contain sensitive visual, audio, or metadata content, so silent transfer to a third-party backend creates meaningful privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal