Video Editor Ai Generator

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that discloses its NemoVideo API use and has no executable installer, but users should treat uploaded videos as shared with an external service.

Install only if you are comfortable sending video files and edit prompts to mega-api-prod.nemovideo.ai. Avoid uploading private, confidential, or sensitive footage unless you trust the provider’s privacy and retention practices, and prefer a dedicated NemoVideo token rather than any unrelated credential.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The routing table sends essentially all unmatched prompts to the SSE editing action, which can cause over-broad activation and unintended transmission of user requests to the remote backend. In this skill, that matters because the default path can capture ambiguous or unrelated user text and forward it to a third-party video-processing service, increasing privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly encourages users to share raw video footage but provides no clear warning about external processing, retention, third-party transmission, or sensitive-content handling. Because raw videos often contain faces, voices, screens, documents, or other personal data, missing disclosure and consent language can lead to accidental exposure of sensitive information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal