Viral Team Video

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but it sends editing prompts and selected media to NemoVideo's backend.

Install only if you are comfortable sending selected team footage, editing prompts, and render/session metadata to NemoVideo for cloud processing. Use a dedicated NEMO_TOKEN or temporary anonymous token, avoid confidential or consent-sensitive recordings unless approved, and keep prompts within the intended video-editing workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The routing rule sends all unmatched prompts to the SSE backend, which effectively turns the skill into a broad pass-through for arbitrary user input. In this skill, that matters because the backend can create sessions, edit media state, and potentially interpret freeform instructions in ways the skill author did not narrowly constrain, increasing the chance of unintended actions, prompt injection propagation, or misuse of the connected external service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal