Video Editor With Ai Features

Security checks across malware telemetry and agentic risk

Overview

This video-editing skill appears purpose-aligned, but it sends user media to a remote backend with broad automatic activation and unclear first-use consent.

Install only if you are comfortable sending selected videos, prompts, and related editing data to NemoVideo's remote service. Avoid confidential or regulated recordings unless you have reviewed the provider's privacy and retention terms, and ask the agent to confirm before connecting, uploading, or exporting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The catch-all rule routes 'everything else' to backend processing, which can cause the skill to activate on vague or incidental editing-related prompts. In a skill that can upload media, create sessions, and send user content to a remote service, overly broad invocation increases the chance of unintended data transfer or unexpected external actions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill processes user-provided videos on a remote backend and even obtains anonymous tokens and creates sessions automatically, but the user-facing setup text does not clearly warn that uploaded media will leave the local environment. This can mislead users about privacy expectations and lead to unintentional disclosure of sensitive recordings or embedded credentials shown in screen captures.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal