Nonsensical Video Generator Free Download

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-generation workflow that sends prompts and chosen media to NemoVideo, with no hidden local code or destructive behavior found.

Install only if you are comfortable sending video prompts, supplied URLs, and any media you choose to upload to NemoVideo's cloud service. Avoid private or regulated media unless you trust that provider's privacy and retention practices, and prefer a dedicated or low-value token.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest presents a narrow text-to-video generator, but the body documents a much broader cloud video-editing system with uploads, arbitrary session inspection, timeline manipulation, and export operations. This capability expansion increases the attack surface and user surprise risk, because the skill can handle and transmit substantially more user content and state than the advertised purpose suggests.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: Allowing media import from arbitrary URLs introduces a network-fetch capability unrelated to the narrowly described prompt/video upload workflow. This can be abused to retrieve attacker-controlled content, cause unintended data flows to third-party endpoints, or facilitate fetching from sensitive/internal locations if backend protections are weak.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Routing 'everything else' to generation/edit actions is overly permissive and can cause the skill to activate on unrelated conversation content. Broad triggering increases the chance of accidental cloud actions, unintended uploads/edits, and user data being sent to the backend without sufficiently specific intent.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The invocation examples use very broad everyday language and do not establish strong activation boundaries. In practice this can increase accidental triggering and make it easier for unrelated user text to be interpreted as authorization to contact the backend or start a media workflow.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill sends prompts, uploads, and session content to a remote cloud backend, but the setup text does not clearly warn users that their data leaves the local environment. This creates a privacy and consent problem, especially because uploaded media may contain sensitive information and the workflow encourages seamless automatic connection.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal