Text To Video Open Ai

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud text-to-video connector that openly sends prompts and uploaded media to NemoVideo for rendering.

Install only if you are comfortable sending video prompts and uploaded media to mega-api-prod.nemovideo.ai. Avoid secrets, regulated data, or confidential business materials unless you trust that backend, and be aware that first use may create an anonymous token/session and consume service credits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Routing all unmatched requests to the generation/SSE action is overly permissive and can cause the skill to send unintended user content to the remote backend. In a conversational agent context, broad fallback logic increases the chance of accidental activation, unexpected external transmission of sensitive prompts, and hard-to-audit behavior.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill sends prompts and uploaded files to a cloud backend, but the user-facing description does not prominently warn that their content leaves the local environment. This creates a privacy and data-handling risk because users may share sensitive scripts or files without understanding they are being transmitted to a third-party service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal