Auto Subtitle Generator Online Free

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it needs review because a subtitle-focused tool appears to route broad media editing and uploads to a remote backend without clear enough user consent.

Review before installing. Only use this with media you are comfortable sending to nemovideo.ai, confirm the exact edit/export action before upload, avoid sensitive or confidential videos, and ask the publisher for clearer disclosure about supported inputs, language selection, job cancellation, retention, and remote processing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill is presented as a narrow subtitle generator, but the documented routing and backend behavior expose broader media-editing functionality. This scope mismatch can mislead users and host platforms about what the skill can do, increasing the chance of unauthorized or unexpected operations on uploaded content.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill advertises video-file uploads, but the upload interface also accepts arbitrary URLs and multiple non-video media types. That materially expands the trust boundary and data-ingestion surface beyond what users would reasonably expect from a subtitle tool.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The documented timeline, track, and GUI-translation features enable general-purpose editing rather than narrowly scoped subtitle generation. Excess capability in a specialized skill increases the risk of misuse, unintended transformations, and policy bypass through vague edit prompts.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger examples are broad and include low-specificity phrases like 'generate my video files,' which can cause the skill to activate on ambiguous requests. Combined with fallback routing, this can lead to unintentional transmission of user media or unintended backend actions.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The invocation guidance uses broad catch-all language that routes 'everything else' into SSE-backed processing. In a remote media-processing skill, ambiguous activation is risky because natural-language prompts may trigger non-obvious editing or backend operations outside the user's intended request.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to connect to a remote backend and process uploaded media, but it does not give users a clear warning that their files and prompts will be transmitted off-platform. This creates a transparency and consent problem for potentially sensitive media content.

Missing User Warnings

Low

Confidence: 76% confidence
Finding: The documentation notes that closing the tab can orphan remote jobs, but it does not surface this clearly as a user warning prior to export. Users may assume processing is local or ephemeral when jobs may continue remotely and persist beyond the active session.

Natural-Language Policy Violations

Medium

Confidence: 83% confidence
Finding: Hard-coding English as the operational language without user choice can cause incorrect transcription, mis-handle multilingual content, and process data under inaccurate assumptions. While not a direct exploit path, it is a real safety and integrity issue in a subtitle-generation context.

Natural-Language Policy Violations

Medium

Confidence: 85% confidence
Finding: Forcing the session language to English during session creation removes user control and can degrade transcription quality or produce misleading subtitles. In media workflows, inaccurate captions can create reputational, accessibility, and compliance issues.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal