Tiktok Ai Text To

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for sending text or uploaded files to NemoVideo for cloud video rendering, with no executable installer or hidden destructive behavior found.

Install only if you are comfortable sending prompts, scripts, and uploaded files to NemoVideo's cloud service for processing. Avoid confidential documents unless you trust that service's data handling, and review or provide NEMO_TOKEN intentionally if you do not want anonymous token setup handled automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill encourages users to upload scripts/files and describes cloud GPU processing, but it does not clearly warn users at the point of use that their prompts and uploaded content are transmitted to a third-party remote service. This can lead to unintended disclosure of sensitive text, documents, or subtitles, especially because supported inputs include DOCX/PDF/SRT files up to 200MB.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to automatically connect to a backend and obtain an anonymous token without a clear user-facing warning or consent step. Silent backend authentication and session creation can surprise users, create undisclosed third-party network traffic, and mask the fact that a remote service account/token is being provisioned on their behalf.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal