Video Editor Internship

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that sends selected media and edit prompts to NemoVideo, with no evidence of hidden, destructive, or unrelated behavior.

Install only if you are comfortable sending uploaded video, audio, image files, and editing instructions to NemoVideo for cloud processing. Keep NEMO_TOKEN private, avoid confidential footage unless the provider is approved for it, and review export or credit-consuming actions during use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The catch-all rule routes 'Everything else' to the SSE backend, which can cause ordinary conversation or ambiguous user input to be sent to a remote service without clear boundaries. In this skill, that increases the chance of unintended network transmission of user text and may trigger backend actions or session state changes when the user did not mean to invoke the editing service.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to automatically connect to a remote backend and obtain an anonymous token/session on first open, but it does not require a clear user-facing notice before network transmission begins. Because this skill handles user-uploaded video and arbitrary prompts, silent automatic connection can expose user content and metadata to a third-party service before meaningful consent or awareness.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal