Ai Voiceover For

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video voiceover/editing skill that discloses remote NemoVideo processing and contains no executable installer code, but users should understand selected media and prompts leave their device.

Install only if you are comfortable sending selected videos, scripts, images, audio, prompts, and related metadata to NemoVideo for cloud processing. Use a service-specific token, avoid confidential or regulated media unless you trust the provider's terms, and confirm ambiguous requests before allowing the skill to contact the remote backend.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The catch-all routing rule sends nearly any unmatched request into this skill's SSE editing flow, which can cause overbroad activation and unintended transmission of user prompts to a third-party backend. In an agent environment, overly permissive routing increases the chance that unrelated or sensitive requests are mishandled by this skill.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to connect to a remote backend, acquire tokens, create sessions, and later upload media/prompts, but it explicitly says to keep these technical details out of the chat. That omission prevents meaningful user consent and can lead to sensitive media, prompts, or metadata being transmitted off-platform without adequate notice.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal