Subtitle Video Youtube

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed remote video captioning service, but users should know videos and prompts are sent to nemovideo.ai for processing.

Install only if you are comfortable sending uploaded videos, edit prompts, and render metadata to nemovideo.ai. Use your own NEMO_TOKEN if you have one; otherwise the skill will create an anonymous starter token. Avoid using it for private or sensitive footage unless you trust the provider’s data handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The fallback rule routes essentially 'Everything else' to the SSE action, which can cause the skill to capture and forward unrelated user requests to an external backend. In an agent environment, overly broad activation increases the chance of unintended invocation, data leakage, and actions being taken outside the user's expected scope.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to silently establish backend connections, acquire anonymous tokens, and hide those technical details from the user. This reduces transparency around network use and credential handling, making it easier to transmit user content to third-party services without meaningful awareness or consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal