Text To Video Hindi Ai

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real NemoVideo cloud generation workflow, but it can send broad prompts and uploaded documents to a third-party backend without clear upfront user consent.

Review before installing. Use it only if you are comfortable sending prompts, uploaded files, and generated project state to NemoVideo cloud services. Avoid confidential documents or regulated media, and use a dedicated revocable NEMO_TOKEN if possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The routing table sends 'Everything else' to the SSE generation path, which makes the skill default to a powerful cloud action for any unmatched request. This can cause unintended uploads, edits, or generation behavior from ambiguous prompts, increasing the chance of user surprise, privacy mistakes, and misuse of backend resources.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to connect to a cloud backend and process user text/files, but the user-facing description does not clearly warn that prompts and uploaded documents are transmitted to a third-party service. This creates a privacy and consent risk, especially because supported inputs include potentially sensitive documents up to 200MB.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal