Ai Video Editor Dance Free

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud dance-video editor that sends media and edit requests to NemoVideo, which matches its stated purpose.

Install only if you are comfortable sending dance videos, audio, edit prompts, and render metadata to mega-api-prod.nemovideo.ai for cloud processing. Avoid sensitive footage unless you trust NemoVideo's privacy and retention practices, and treat NEMO_TOKEN or anonymous tokens as credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill encourages activation from generic phrases like "edit my dance video footage" and similar natural language without a tighter invocation boundary. Broad triggers increase the chance the skill is invoked during ordinary conversation, causing unintended upload/setup flows or remote processing actions against user content.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The routing table sends "Everything else" to the SSE editing path, which effectively makes nearly any unmatched user message actionable. In a skill that talks to a remote backend and can mutate project state, this ambiguous fallback can cause unintended processing, excessive data transmission, or surprising edits from casual conversation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill states that it handles editing on cloud GPUs and documents remote endpoints, but it does not present a clear user-facing warning that uploaded videos and prompts are transmitted to an external backend. Because users may share personal dance videos and descriptive prompts, the lack of explicit disclosure creates a meaningful privacy and consent risk.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill automatically acquires or uses a NEMO token and maintains remote sessions, but it does not clearly warn users that credentials or anonymous access tokens are involved in backend processing. This omission is less severe than undisclosed content upload, but it still reduces transparency around authentication state, session persistence, and potential account/credit usage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal