Nemo Video Quick

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should know their prompts and uploaded media go to Nemo Video's external service.

Install only if you are comfortable sending video, audio, images, prompts, and session metadata to Nemo Video's cloud service. Keep NEMO_TOKEN private, avoid confidential footage unless you trust the provider, and review exports or credit-consuming actions before proceeding.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The catch-all rule routes 'everything else' to the SSE backend, which gives the skill an overly broad trigger surface for arbitrary user messages. In a multi-skill or agent environment, this can cause unintended activation and transmission of user content to a third-party service, increasing privacy and prompt-routing risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to share raw video footage and describes cloud processing, but it does not present a clear, up-front warning that uploaded media and associated prompts are sent to an external backend. Because videos may contain sensitive visual, audio, and metadata content, insufficient disclosure can lead to unintended exfiltration of personal or confidential information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal