Subtitle Maker

Security checks across malware telemetry and agentic risk

Overview

This subtitle-generation skill is transparent about using a NemoVideo API and does not include hidden code or automatic local actions.

Install only if you are comfortable sending the selected video/audio, prompts, and subtitle job details to NemoVideo for processing. Use a scoped, revocable token where possible, avoid confidential or regulated recordings unless the provider’s privacy and retention terms meet your needs, and verify you have rights and consent to upload the media.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to submit video content to a remote third-party API but does not clearly disclose that the media and any embedded sensitive information will leave the local environment for external processing. Because videos may contain confidential speech, faces, screens, or regulated data, the omission can cause users to expose sensitive content without informed consent.

External Transmission

Medium

Category: Data Exfiltration
Content: ### Step 3 — Generate ```bash curl -X POST https://mega-api-prod.nemovideo.ai/api/v1/generate \ -H "Authorization: Bearer $NEMO_TOKEN" \ -H "Content-Type: application/json" \ -d '{
Confidence: 92% confidence
Finding: curl -X POST https://mega-api-prod.nemovideo.ai/api/v1/generate \ -H "Authorization: Bearer $NEMO_TOKEN" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal