Free Video Fast

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should know it contacts NemoVideo and can send selected media and prompts there.

Install only if you are comfortable sending chosen video, audio, image files, URLs, and editing prompts to the NemoVideo cloud service. Use a dedicated NEMO_TOKEN if possible, avoid private or sensitive footage unless you trust that provider, and ask the agent to confirm before uploads, exports, or low-confidence edit requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Low

Confidence: 86% confidence
Finding: The skill automatically acquires anonymous auth tokens from a third-party service without an explicit user consent step, which means it can initiate authenticated remote activity beyond what the user clearly approved. In a skill that handles user media, silent token provisioning increases privacy and trust risk because it enables backend account/session creation and quota consumption before the user understands the remote processing model.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The invocation phrases are overly broad and generic, such as common words around creating or exporting videos, which increases the chance the skill activates on unrelated conversation. That can cause accidental upload/session setup behavior or route user content to the remote backend without sufficiently specific intent for this skill.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The catch-all rule routing 'everything else' to the SSE edit backend is dangerously broad because it allows nearly any unmatched message to trigger remote processing. In this skill, that is more concerning because the backend can process user prompts and session state, so misrouting may expose data or incur actions on a cloud service unexpectedly.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill does not prominently warn users that uploaded media, prompts, and session data are transmitted to a remote cloud backend for processing. Given that users may share raw personal video clips, the lack of clear disclosure materially increases privacy risk and prevents informed consent about third-party handling of potentially sensitive content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal