Free Video Generation Ai Api

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-generation skill, but users should expect prompts and chosen media to be sent to NemoVideo and processed under an automatically created token/session.

Install only if you are comfortable with NemoVideo receiving your prompts, uploaded media, and generation instructions, and with the agent creating or using a NEMO_TOKEN/session. Do not upload confidential, regulated, copyrighted, or personal media unless that external processing is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill directs the agent to silently obtain anonymous auth tokens and create persistent backend sessions automatically on first use. That causes network-side authentication and account-like state creation without explicit user consent, which can expose users to hidden external interactions, tracking, and unintended use of third-party resources.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The routing table sends essentially all unmatched requests to the SSE/chat backend via an 'everything else' catch-all. Overbroad triggers can cause accidental invocation and transmission of user text to a third-party service even when the user did not clearly intend to use this skill, increasing privacy and data-exposure risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to auto-connect to a remote backend and acquire authentication tokens while keeping setup communication brief and hiding raw token details. Performing network and auth actions without a clear warning or consent reduces user awareness and makes covert third-party interaction more dangerous in the context of an agent skill.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill encourages users to upload local media files to a cloud rendering service but does not include an explicit privacy/safety warning about third-party processing, storage, retention, or sensitive-content risks. Because uploads may contain personal, confidential, or copyrighted media, missing disclosure materially increases the chance of unintended data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal