Free Video Editing With

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate cloud video-editing skill, but it can contact a third-party service and route broad or ambiguous prompts there without clear user confirmation.

Install only if you are comfortable sending editing prompts, media files, and session metadata to Nemovideo's remote service. Avoid sensitive media unless you trust that service, and use explicit video-editing requests so the skill is not accidentally invoked for unrelated conversation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The example trigger phrases are broad and generic enough that normal conversation could unintentionally invoke the skill. In an agent environment, accidental invocation can cause unsolicited network calls, token generation, session creation, and media-processing actions against third-party services without clear user intent.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The routing rule includes an 'Everything else' catch-all that sends arbitrary user input into the SSE editing flow, making invocation boundaries extremely weak. This increases the chance of accidental activation and unintended transmission of user prompts or file-related instructions to the remote backend, especially given the skill's automatic setup and session behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal