Video Editing With Google

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that is transparent enough about using NemoVideo for processing, though users should treat uploaded media as third-party cloud data.

Install only if you are comfortable sending selected videos, audio/images, edit prompts, and session metadata to NemoVideo's cloud service. Avoid confidential meetings or sensitive screen recordings unless NemoVideo's privacy, retention, and deletion terms meet your needs, and do not assume this is an official Google service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to automatically connect to a remote backend and obtain an anonymous token on first open, before clear user consent for network activity. This can cause silent outbound requests, device fingerprinting via generated client IDs, and account/session creation without the user's informed approval.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill description encourages users to upload video clips for processing but does not clearly warn that media and edit instructions are sent to a third-party cloud rendering service. For a video-editing skill, uploaded content may contain sensitive screen recordings, meetings, or personal data, so the missing disclosure materially increases privacy and data-handling risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal