Image To Video Ai Generator

Security checks across malware telemetry and agentic risk

Overview

This video-editing skill is coherent and not malicious, but it sends media and prompts to Nemo Video cloud and may use account-linked credits.

Install only if you are comfortable sending clips, images, audio, prompts, and related metadata to Nemo Video for cloud processing. Keep NEMO_TOKEN private, avoid sensitive or proprietary media unless the provider terms are acceptable, and expect account credits or plan limits to apply.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs uploading user media to a third-party cloud backend and states that synthesis runs on distributed GPU clusters, but it does not clearly warn users that their files and prompts will be transmitted off-device. This creates a meaningful privacy and data-handling risk, especially if users submit sensitive, proprietary, or personal images under the assumption of local processing.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill uses `NEMO_TOKEN` and can also obtain anonymous starter tokens, but it provides no warning about account usage, token scope, credit consumption, or the sensitivity of bearer credentials. Users may unknowingly spend account credits or expose credentials to a remote service without understanding the consequences.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal