Video Editing With Nodes

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-editing connector that sends user-provided media and prompts to NemoVideo, which matches its stated purpose but deserves normal privacy caution.

Install only if you are comfortable sending videos, prompts, and optional source URLs to NemoVideo for cloud processing. Avoid confidential, regulated, or highly personal media unless that service is approved for your use, and prefer a dedicated NEMO_TOKEN if you use your own credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to obtain tokens from a third-party backend and upload user video content, but it does not require any user notice or consent about external transmission, storage, or processing. Because uploaded media may contain sensitive visual, audio, location, or personal data, silently sending it to a remote service creates a real privacy and data-handling risk.

Natural-Language Policy Violations

Medium

Confidence: 83% confidence
Finding: The skill hard-codes the session language to English when creating the backend session, without checking the user's preferred language or obtaining consent. This can cause misprocessing of multilingual content, inaccurate edits or prompts, and unnecessary disclosure of user data through translation or incorrect interpretation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal