Completely Free Video Generation

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-generation connector, but users should know their prompts and chosen media are sent to NemoVideo for processing.

Install this only if you are comfortable sending prompts, selected images, audio, or videos to NemoVideo's cloud service. Avoid private or regulated media unless you have reviewed the provider's terms, keep NEMO_TOKEN private, and check credit/free-use limits before relying on it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs the agent to automatically obtain a token and connect to a remote backend, including sending user prompts and potentially uploaded media for cloud processing, without a clear up-front consent notice. This creates a privacy and data-handling risk because users may unknowingly transmit sensitive content to a third-party service.

Natural-Language Policy Violations

Medium

Confidence: 87% confidence
Finding: Automatically detecting and transmitting the user's language during session creation without opt-in introduces unnecessary data collection and reduces user control over what metadata is shared. In isolation this is a limited issue, but it can contribute to privacy concerns when combined with automatic backend connection and content upload.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal