Video Letter

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but it sends selected media and prompts to NemoVideo for processing.

Install only if you are comfortable using NemoVideo's cloud backend. Avoid uploading sensitive personal footage unless you trust that service, confirm which files are being uploaded or exported, and keep NEMO_TOKEN out of shared logs or chats.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill directs the agent to automatically obtain anonymous auth tokens and create persistent backend sessions, which expands behavior beyond simple local media editing into account/session management on a third-party service. This is risky because it enables autonomous external authentication and service consumption without a clear, explicit user consent step, and could cause unintended use of remote resources or creation of trackable service identities.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The invocation text is broad enough that ordinary user language about videos or images could activate the skill unintentionally. Unintended activation is dangerous here because the skill can immediately connect to a remote backend and start handling user media, increasing the chance of accidental data transfer or unexpected external API use.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The sample trigger phrases such as creating clips or exporting 1080p MP4 are vague and not uniquely tied to this skill, so they may match common user requests intended for other tooling. Because this skill performs cloud-backed processing and can create sessions automatically, weak scoping increases the risk of accidental routing and unintended disclosure of media to the backend.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description encourages users to drop videos and images into chat for processing on cloud GPUs, but it does not prominently warn up front that uploaded media is sent to a third-party remote backend. This is a privacy and transparency issue because users may share sensitive personal footage without realizing it leaves the local environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal