Generator Downfall

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Nemo cloud video workflow, but it is broader and more account-connected than the narrow generator-failure clipping description suggests.

Install only if you intend to use Nemo as a cloud video-editing service, not just a local or narrowly scoped generator-failure detector. Expect videos, prompts, draft state, and account or credit information to be handled by the Nemo backend, and review the service's privacy, retention, and billing terms before uploading sensitive operational footage.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The manifest presents a narrowly scoped generator-failure clipping tool, but the body documents a much broader cloud video editing and rendering platform. This scope mismatch can mislead users and hosts about what the skill can actually do, enabling unintended remote media processing beyond the declared purpose and weakening trust and review boundaries.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill exposes broad media-generation and editing operations such as general editing, BGM, overlays, and export workflows that are unrelated to the stated equipment-failure clipping purpose. Excess capability increases abuse potential and can let a narrowly approved skill function as a generic remote editing proxy.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: Routing 'everything else' to the SSE action creates a catch-all path that can forward arbitrary user requests to a powerful backend. In a skill that already exposes a general editing pipeline, this substantially expands reachable behavior and undermines any attempt to constrain use to the advertised purpose.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill encourages users to upload local media to a third-party remote backend but does not clearly disclose that files are transmitted off-platform for cloud processing. This creates a privacy and compliance risk, especially because uploaded videos may contain sensitive operational, personal, or location data.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal