Subtitle Generator Best

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud-based subtitle/video rendering skill, but users should know their media and prompts are sent to nemovideo.ai.

Install only if you are comfortable sending video files, prompts, and render metadata to nemovideo.ai. Avoid confidential, private, or copyrighted media unless you trust that provider’s privacy, retention, and deletion practices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The activation examples and wording are broad enough that the skill could trigger on vague media-editing requests outside the user's intended scope. In practice this can cause unintended routing of user files and prompts to a third-party cloud service, increasing privacy and consent risk even if the backend itself is legitimate.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs users to send video files while only later revealing that processing occurs on a cloud backend. This undermines informed consent for potentially sensitive media and text prompts, especially because uploads may contain private faces, voices, screens, or copyrighted material.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal