Ai Voiceover For Videos

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video voiceover/editing skill with privacy considerations, but no evidence of hidden execution, exfiltration, destructive behavior, or disproportionate local access.

Install only if you are comfortable sending chosen videos, prompts, and related project metadata to NemoVideo's cloud service. Avoid confidential or regulated media unless that provider is approved for your use, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The routing rule sends 'Everything else' to the SSE action, creating an overly broad trigger that can capture many unrelated user requests and forward them to the remote backend. This increases the chance of unintended activation, accidental disclosure of user prompts or attached media, and execution of cloud-side actions outside the user's clear intent for this specific skill.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill initiates cloud setup, token acquisition, session creation, and file/prompt transmission to external endpoints, but the user-facing description does not clearly warn that uploaded videos and prompts are sent to a third-party cloud service. This weakens informed consent and can lead users to disclose sensitive media or text under the mistaken assumption that processing is local or more private than it is.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal