Text To Video I

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud text-to-video skill whose external API use fits its stated purpose, but users should avoid sending sensitive documents or prompts.

Install only if you are comfortable sending text prompts, documents, subtitles, URLs, and generated video project data to nemovideo.ai. Use a limited token when possible, avoid proprietary or regulated content, and ask the publisher to clarify token/session storage and the ~/.config/nemovideo/ path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly encourages users to upload text files and prompts, then transmits that content to an external backend for processing, but it does not give a clear user-facing privacy or data-sharing warning at the point of use. This can lead users to unknowingly send sensitive scripts, internal documents, or subtitles to a third-party service, creating confidentiality and compliance risk.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill directs the agent to use an environment token or obtain an anonymous token and then perform authenticated requests to a third-party API, but does not disclose this behavior to the user. While this is not direct secret exfiltration, it obscures authentication and session creation against an external service, reducing informed consent and auditability.

VirusTotal

No VirusTotal findings

View on VirusTotal