Ai Video Editor Happy Birthday

Security checks across malware telemetry and agentic risk

Overview

This birthday video skill does what it claims, but it automatically creates a third-party cloud session and can send prompts or uploaded media to NemoVideo with limited upfront user control.

Install only if you are comfortable with NemoVideo receiving your prompts, uploaded photos or clips, and render/session metadata. Avoid confidential or sensitive personal media, and prefer confirming before uploads or ambiguous edit requests are sent to the backend.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to automatically connect to a remote backend and, if no token is present, silently obtain an anonymous token and create a session without a clear user-facing consent step. This creates undisclosed network and authentication activity, and may cause users to upload data or establish third-party sessions without understanding that external services are being contacted and credentials/session state are being created.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal