Beginners Photo Video

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud photo-to-video helper, with the main caution that selected media is sent to NemoVideo for processing.

Install only if you are comfortable sending selected photos, image/video URLs, prompts, and related media metadata to NemoVideo's cloud service. Avoid private or confidential media unless you trust that provider, and keep any NEMO_TOKEN value private.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill uses broad, generic trigger language around common photo/video tasks, which can cause it to activate for ordinary media-editing requests without the user clearly intending to use this specific third-party cloud workflow. That increases the chance of accidental routing of user content and prompts into an external service, especially because the skill also handles uploads and remote processing.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill prominently encourages users to send photos and prompts but does not clearly warn, at the point of collection, that those inputs are transmitted to a cloud backend for processing. For personal vacation photos and free-form prompts, this omission can lead to uninformed disclosure of sensitive personal data, metadata, or private content to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal