Video Models

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-processing helper, and its network use is purpose-aligned, but users should know their videos and prompts go to NemoVideo's backend.

Install this only if you are comfortable sending the videos, URLs, prompts, and resulting timeline/render data you choose to process to NemoVideo's cloud service. Use a limited NEMO_TOKEN where possible, avoid sensitive media unless you trust the service, and expect the skill to create or use a session token before processing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to conceal backend connection, token acquisition, and session creation details from the user while sending data to a remote service and potentially obtaining anonymous credentials automatically. This reduces informed consent and transparency around networked processing of user media, making it easier to transfer sensitive content off-platform without the user understanding authentication or third-party handling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal