Ai Video Editor Like Grok

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent cloud video-editing connector, but users should understand that videos, prompts, session data, and service tokens go to NemoVideo.

Install only if you are comfortable sending your videos, editing instructions, and session metadata to NemoVideo for cloud processing. Prefer using your own NEMO_TOKEN when available, watch credit and export usage, and avoid uploading sensitive footage unless you trust the provider's privacy and retention practices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to automatically obtain an anonymous token from a third-party service whenever no user-provided token is present. This causes the agent to establish external identity/session state and initiate authenticated backend access without explicit user consent, which is risky because it silently expands the trust boundary and may bind usage, quotas, or uploaded content to an automatically created account context.

Context-Inappropriate Capability

Low

Confidence: 89% confidence
Finding: The skill instructs reading local install path and configuration context to derive attribution headers such as platform and version. Even though the data accessed is limited, it unnecessarily uses local environment/context beyond the user's editing request and can disclose host-specific metadata to the remote service without clear necessity or user awareness.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill directs the agent to upload video, create sessions, and acquire tokens against a third-party backend, but explicitly says to keep technical details out of chat and does not provide a user-facing disclosure that files and related metadata will be transmitted off-platform. This undermines informed consent for potentially sensitive media content and session data.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The skill notes that render jobs may be orphaned if the user closes the tab, but this operational risk is buried in implementation details rather than surfaced as a clear user warning. While not a direct exploit primitive, lack of disclosure can mislead users about background processing and continued handling of their media after they leave.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The skill hardcodes session creation with language set to English, overriding potential user preference and causing unnecessary transmission of an inferred or imposed locale setting. This is primarily a privacy and user-autonomy issue rather than a severe security flaw, but it still reflects sending parameter choices to a third party without user control.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal