Video Editing Ai Chatgpt

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should understand that media and prompts are processed by NemoVideo's remote service.

Install only if you are comfortable sending uploaded videos, audio, images, prompts, and editing state to NemoVideo's cloud service. Avoid confidential or regulated media unless you have reviewed the service's privacy and retention terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The example invocations are very generic (for example, phrases like 'export 1080p MP4' or partial editing requests) and could cause the skill to activate from ordinary conversation rather than a clearly intentional tool invocation. In this skill, unintended activation is more concerning because it can lead to automatic cloud setup, token acquisition, session creation, and possible media upload to a third-party backend without a strongly explicit user intent boundary.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The routing rule sends 'Everything else' to the SSE editing action, which is an ambiguous catch-all that lacks scope constraints and can treat unrelated user text as an instruction for the remote backend. Because the backend can drive edits and other operations through streamed responses, this broad routing increases the chance of unintended external requests, prompt leakage to a third-party service, or accidental modification/export actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to connect to a cloud backend, acquire tokens, create sessions, and process user media, but it does not clearly warn users up front that their files and prompts will be sent to a third-party service. In a media-processing skill handling potentially sensitive video/audio, this omission materially increases privacy and consent risk, especially if users assume editing is local or do not realize cloud retention and external processing are involved.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal