Best Editor Ai

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that openly depends on a remote NemoVideo service, with privacy and credential-use caveats users should understand.

Install only if you are comfortable with NemoVideo receiving the media, URLs, and edit prompts you choose to provide. Avoid confidential or regulated footage unless you trust that provider's data handling, and treat NEMO_TOKEN as a service credential tied to usage credits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill advertises support for a narrow set of video formats, but later documents acceptance of many more media types including images and audio. This mismatch can mislead users and downstream policy checks about what data may be uploaded and processed, increasing the chance of unexpected data handling and review bypass.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to automatically contact a remote backend and obtain an anonymous token on first use, before a clear consent prompt describing network activity and remote processing. This creates undisclosed outbound connections and account/session creation, which is risky when user content may include sensitive videos or metadata.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The metadata declares access to an environment token and a config path, but the skill does not clearly warn the user that local credentials/configuration may be read to authenticate against a remote service. Access to secrets and config directories is sensitive because it can expose tokens or enable unintended use of existing accounts.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Although the text mentions server-side processing, it does not prominently warn that uploaded videos and editing instructions are transmitted to remote cloud GPU services. Users may reasonably assume local-only editing unless privacy and data-transfer implications are made explicit before upload.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal