Video Editor Youtube

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video editor that sends selected videos and edit prompts to NemoVideo, with no local executable code or hidden install behavior found.

Install only if you are comfortable sending selected videos, media URLs, editing prompts, and render metadata to NemoVideo's cloud service. Keep NEMO_TOKEN private, avoid uploading confidential or unauthorized footage, and confirm uploads, credit use, and exports when the requested action is ambiguous.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The catch-all routing rule sends essentially any unmatched prompt to the SSE editing action, which can cause unintended cloud-side processing of ambiguous user requests. In this skill, that matters because the default action may transmit user text and potentially initiate edits against a live remote session, increasing the chance of accidental data disclosure or surprising side effects.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill invites users to upload raw video footage but does not clearly warn in the user-facing description that files are sent to a third-party cloud service for processing. Because videos may contain sensitive visual, audio, location, or personal data, the lack of up-front disclosure undermines informed consent and can lead to unintentional exposure of private media.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal