Best To Video Ai

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-generation skill, but users should understand that prompts and uploaded media are sent to NemoVideo.

Install only if you are comfortable sending scripts, documents, media, prompts, and project state to NemoVideo for cloud processing. Avoid confidential or regulated content unless you trust the provider, and use a dedicated low-privilege token where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The routing rule sends 'Everything else' to the SSE action, creating an overly broad catch-all path for arbitrary user input. In a skill that uploads content and interacts with a remote third-party backend, ambiguous activation increases the chance of unintended transmission of user prompts or files to the external service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to connect to external endpoints, acquire tokens, create sessions, and process uploads on a third-party service, but it does not prominently warn users that their prompts and files are sent off-platform. This can lead users to disclose sensitive documents or media without informed consent, which is especially risky given support for uploaded files up to 200MB.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal