Video Editing Ai Auto

Security checks across malware telemetry and agentic risk

Overview

This looks like a real cloud video-editing skill, but its instructions are too broad about when to contact the external service and send prompts to it.

Install only if you are comfortable sending selected videos, audio, image URLs, and edit prompts to NemoVideo's cloud API. Use a dedicated or revocable token where possible, avoid confidential or client footage unless you trust the provider, and be careful not to invoke the skill for unrelated conversation because it may create a session and forward broad prompts to the backend.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The getting-started prompt invites users to say very generic phrases like "edit my raw video footage," which could be triggered by ordinary conversation or incidental text rather than a clear, intentional skill invocation. In an agent environment, broad activation language increases the chance the skill runs unexpectedly, causing unintended API calls, token use, or processing of user files.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The routing table contains a catch-all rule mapping "Everything else" to the SSE action, meaning a wide range of unrelated or ambiguous user inputs could be sent to the backend editing pipeline. This expands the skill's execution surface and can lead to unintended network requests, session activity, or backend-side actions from innocuous conversation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal