Video Editing With Ai App

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill that sends selected media and editing prompts to a named remote backend, with no executable install code or unrelated system access found.

Install only if you are comfortable sending chosen videos, audio, images, edit prompts, and related session data to NemoVideo's cloud service. Avoid sensitive footage unless you trust that provider's privacy and retention practices, and use explicit upload/edit/export requests to reduce accidental invocation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The routing table sends 'Everything else' to the SSE backend, creating an unbounded catch-all that could forward arbitrary user text to a remote service. In a skill that can create sessions and process uploaded media, this increases the chance of accidental invocation, unintended disclosure of user prompts, and backend actions outside the user’s clear intent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill describes cloud rendering and upload behavior, but it does not present a clear upfront warning to users that their video/audio media and prompts are transmitted to a third-party remote service for processing. For a media-editing skill handling potentially sensitive recordings, this omission can lead to uninformed disclosure of private content.

VirusTotal

34/34 vendors flagged this skill as clean.

View on VirusTotal