Video Generation Ai

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-generation skill, but installing it means prompts, uploaded media, and session details may go to NemoVideo.

Install only if you are comfortable using NemoVideo's cloud service. Avoid sending sensitive, private, client, or unreleased media unless external processing is acceptable, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The routing rule sends essentially all unmatched user input to the SSE generation path, which can cause unintended prompts, files, or sensitive free-form text to be transmitted to the remote backend. In a networked skill that performs cloud processing, this broad catch-all increases the chance of over-collection and surprise data disclosure because ambiguous requests are treated as consent to invoke the external service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to automatically connect on first open, obtain an anonymous token, and create a session before clear user consent or a prominent warning that content and identifiers will be sent to a third-party service. This creates a privacy and transparency issue because network transmission, token provisioning, and session creation occur proactively, potentially exposing user metadata or prompting backend-side tracking without informed action by the user.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal