Video Maker Generator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-generation skill, with privacy considerations but no artifact evidence of hidden local execution or unrelated data access.

Install only if you are comfortable sending uploaded images, videos, audio, prompts, and project state to the NEMO Video cloud service. Keep NEMO_TOKEN private and avoid confidential or client-owned media unless you have reviewed the provider's terms and retention practices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The routing rule sends 'Everything else' to the SSE action, which can cause the skill to activate on unrelated prompts and forward arbitrary user text to the remote backend. In this skill's context, that increases the chance of unintended data disclosure and unexpected remote actions because the backend interprets free-form instructions as editing commands.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill clearly relies on a cloud backend for session creation, uploads, prompt handling, and rendering, but it does not prominently warn users before media files and prompts are transmitted off-device. That omission creates a privacy and consent risk, especially since users may upload sensitive videos, images, or audio under the assumption processing is local or minimally disclosed.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal