Video Editing With Italiano

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that uses NemoVideo’s backend as advertised, with privacy considerations but no hidden code or unrelated access.

Install only if you are comfortable sending selected videos, images, audio, URLs, edit prompts, and related metadata to NemoVideo for cloud processing. Keep NEMO_TOKEN private, avoid confidential or regulated footage unless you trust the provider’s privacy practices, and use the skill for explicit editing/export tasks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Low

Confidence: 90% confidence
Finding: The skill instructs the agent to automatically mint anonymous bearer tokens and create backend sessions without explicit user authorization or a clear consent step. This can enable unintended third-party service use under transient credentials, obscure accountability, and cause user content to be sent to an external platform before the user meaningfully understands the trust boundary.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup flow instructs automatic connection to a remote processing backend and token/session creation, but does not provide a prominent upfront warning that user media will be uploaded to and processed by a third-party cloud service. This undermines informed consent and can expose sensitive videos, audio, or metadata to external infrastructure unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal