ClawHub

auto-remotion

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed video-production workflow, but users should review install commands and avoid sending sensitive recordings to external transcription or AI services without approval.

Install this as an instruction-only Remotion workflow. Run setup commands in a dedicated project directory, review npm/pip packages before installation, avoid global or --force installs unless needed, and do not upload confidential recordings, audio, screenshots, or transcripts to ElevenLabs, LLMs, or other external services without permission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README encourages use of third-party services for transcription and voice generation on user-provided video/audio, but it does not warn that sensitive recordings may be uploaded off-device to external providers. In this skill’s context, the source material is often product demos or screen recordings, which can contain confidential UI, customer data, API keys, internal tooling, or unreleased features, making silent cloud transfer a meaningful privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill directs an agent to run a non-interactive scaffolding command that will create a project and may install packages without an explicit approval checkpoint. In an agent setting, this can cause unreviewed filesystem changes and third-party code execution from package lifecycle scripts, which is materially riskier than in a purely human tutorial.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The document presents global package installation commands without warning that they modify the system-wide environment. In an agent context, global installs can affect other workflows, alter PATH-resolved tools, and introduce persistent unreviewed code onto the host.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The skill recommends installing other skills without an explicit warning that this changes the agent's toolset and persistent configuration. In an agent ecosystem, altering installed skills changes future behavior and trust boundaries, so doing so silently increases attack surface and can have lasting effects.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal