Maker Editor Generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill that openly uses NemoVideo APIs, tokens, uploads, and render sessions, with no artifact evidence of hidden, destructive, or unrelated behavior.

Install this only if you are comfortable sending selected videos, images, audio, URLs, and editing prompts to NemoVideo for cloud processing. Use a dedicated NEMO_TOKEN if you have one, avoid sensitive or regulated media unless you trust the provider's privacy terms, and confirm exports or credit-consuming actions when using a paid account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Context-Inappropriate Capability

Low

Confidence: 89% confidence
Finding: The skill goes beyond simple video editing by instructing the agent to automatically obtain anonymous tokens, create authenticated sessions, and query credits. That expands the trust boundary from media processing into account bootstrap and service-usage management, which can enable unauthorized consumption of third-party resources and silent backend access without explicit user understanding.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The catch-all routing rule sends virtually any unmatched prompt to the SSE editing pipeline, which increases the chance of accidental activation and unintended transmission of user content or instructions to the external service. In an agent setting, broad activation logic can cause overreach beyond the user's intended action and reduce meaningful consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs automatic connection to a cloud API and later describes upload endpoints and remote GPU rendering, but it does not require a clear upfront warning that user media and prompts will leave the local environment. This creates a real privacy and data-handling risk, especially for sensitive or proprietary video files, because users may not realize content is being transmitted to a third-party service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal