Trimmer Free Online

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real cloud video-editing helper, but it should be reviewed because it automatically contacts a third-party backend and routes broad editing requests beyond simple trimming.

Review before installing. Use it only if you are comfortable sending media files, edit prompts, and render/session metadata to mega-api-prod.nemovideo.ai. Avoid sensitive footage unless you trust that provider, and be aware the skill may perform broader cloud video editing, not only simple trimming.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill is presented as a simple video trimmer, but the documentation expands behavior into a broader cloud media-editing workflow with generic edit/generate operations, credits management, state inspection, overlays, and audio-track handling. This increases the reachable capability surface and can cause the agent to perform actions users did not reasonably expect from the advertised purpose, especially when paired with broad routing rules and remote backend control.

Context-Inappropriate Capability

Low

Confidence: 83% confidence
Finding: The skill instructs the agent to inspect local install/config paths to infer platform attribution, which is unnecessary for trimming a video and introduces local environment probing. Even limited path inspection can reveal host-specific metadata and normalizes access to local filesystem details unrelated to the user's request.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The invocation rules are broad enough to route generic editing requests such as generate, edit, overlays, audio, and similar terms into this skill. That makes accidental or overbroad activation more likely, increasing the chance that user content is sent to a third-party backend or that unintended operations occur under an overly general prompt.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill handles user-supplied video files through a cloud backend but does not clearly warn users up front that their media will be uploaded to a third-party service. Because videos may contain sensitive visual, audio, metadata, or personal information, this omission undermines informed consent and can lead to unintended disclosure of private content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal