Ai Video Editor For Davinci

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should understand that their footage and prompts are sent to NemoVideo for processing.

Install only if you are comfortable sending selected videos, images, audio, prompts, and session metadata to mega-api-prod.nemovideo.ai. Avoid private, regulated, or proprietary footage unless you trust that service’s privacy and retention practices, and consider using a limited token rather than a long-lived credential.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The routing table includes an 'Everything else' fallback to the SSE editing path, which makes the skill activate for ambiguous or unrelated user prompts. In a skill that can upload media, create sessions, and trigger remote processing, overly broad invocation scope increases the chance of unintended external API calls and accidental data handling.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs users to send raw footage to a third-party cloud pipeline but does not present a clear warning that files and editing instructions will leave the local environment and be processed by an external service. Video files commonly contain sensitive visual, audio, and metadata content, so silent transmission creates privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal