Video Generator Free No Sign

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-generation skill, but it automatically creates a remote NemoVideo session and uses broad remote routing with limited user confirmation.

Review before installing. Use it only for prompts and media you are comfortable sending to NemoVideo's cloud service, treat NEMO_TOKEN as a secret controlling session credits, and be aware that first use may contact the backend and create an anonymous session automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill markets itself as 'no sign up' and 'free' while silently obtaining an anonymous authentication token, creating a session, and consuming backend credits. This is a trust and transparency problem because user prompts/files are transmitted to a third-party service under an account-like token without clear upfront disclosure, which can mislead users about authentication, billing limits, and backend tracking.

Context-Inappropriate Capability

Low

Confidence: 86% confidence
Finding: The skill derives platform/install-path attribution from local filesystem locations and sends that metadata on every request, even though that information is not necessary to generate videos. This creates unnecessary environment fingerprinting and disclosure of local usage context to the remote service.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The catch-all routing sends nearly any unrecognized prompt to the SSE generation endpoint, which can cause unintended transmission of arbitrary user text to the remote backend. In a chat environment, this broad trigger increases the chance of accidental exfiltration of unrelated or sensitive content the user did not mean to submit for video processing.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to automatically connect to the backend and create tokens/sessions on first open with only a minimal 'Setting up...' message. This bypasses meaningful informed consent for network transmission and account/session creation, especially since users may believe they are interacting locally or anonymously without backend state.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal