Music To A

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill that sends chosen media and editing prompts to NemoVideo, with some transparency caveats but no evidence of malicious behavior.

Install this only if you are comfortable using NemoVideo's cloud service. Do not upload sensitive or unreleased media unless you trust the provider, keep NEMO_TOKEN private, and be aware that ambiguous editing prompts may be sent to the backend while the skill is active.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The broad fallback rule routes essentially all unmatched prompts to the SSE backend, which can cause overbroad activation and transmission of user input to a remote service even when the request is unrelated to this skill. In a skill environment, that increases the chance of unintended data disclosure, surprise tool invocation, and processing of out-of-scope requests without clear user intent.

Natural-Language Policy Violations

Medium

Confidence: 76% confidence
Finding: Automatically detecting the user's language and submitting it to the backend without user choice or necessity creates an unnecessary data-sharing pathway and weakens transparency. While language seems low sensitivity, inferred locale or language can still be personal metadata, and silently transmitting it is avoidable when a default or user-selected value would suffice.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal