Editor Not Generator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill, with privacy and scoping caveats but no evidence of hidden, destructive, or deceptive behavior.

Install only if you are comfortable sending video files, media URLs, editing prompts, and project/session state to NemoVideo's cloud backend. Avoid confidential footage unless you trust that provider, keep NEMO_TOKEN private, and confirm before exports or broad edits that may consume credits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The routing table sends essentially all unmatched requests to the SSE editing path, which can cause ordinary conversational input or ambiguous prompts to be forwarded to the cloud backend as editing commands. In this skill, that matters because the backend can consume credits, process user media, and act on timeline state, so over-broad intent matching increases the chance of unintended remote actions and data disclosure to the service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill asks users to share existing video footage and describes cloud processing, but it does not present a clear, upfront privacy warning that uploaded media, prompts, and session data are sent to a third-party backend. Because users may upload sensitive videos or audio, the missing disclosure undermines informed consent and increases privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal