Audio To Subtitle

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud audio-to-subtitle skill, with privacy cautions around sending media to NemoVideo for processing.

Install only if you are comfortable sending selected audio/video files, prompts, and render metadata to NemoVideo's cloud service. Avoid confidential or regulated recordings unless you have reviewed and accepted the provider's privacy and retention terms, and use a dedicated NEMO_TOKEN where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are very broad and generic, such as 'export 1080p MP4' and 'convert my audio files', which increases the chance the skill activates in contexts the user did not clearly intend. In a skill that uploads media and sends prompts to a cloud backend, unintended activation can lead to accidental transmission of user files or requests to a third-party service.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill clearly relies on a cloud processing backend and instructs the agent to upload user media and prompts, but it does not present a prominent user-facing warning at the point of use that this content will leave the local environment. This creates a meaningful privacy and data-handling risk, especially for audio files that may contain sensitive speech, personal data, or confidential material.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal