ClawHub

Clideo Add Music

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it can automatically connect to a cloud video backend and route broad editing requests there, so users should review it before installing.

Install only if you are comfortable uploading your media and edit instructions to the NemoVideo cloud backend. Avoid sensitive personal, business, or private footage unless you trust that service's privacy and retention practices, and prefer explicit confirmation before upload, export, or non-audio edits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation examples are generic enough that normal user conversation could unintentionally invoke the skill. In this skill, accidental activation is more sensitive because it can lead to media being uploaded to a third-party cloud backend and remote session/token flows being initiated without clear user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The catch-all rule routes 'everything else' into the SSE editing pipeline, which is overly broad and can capture unrelated user requests. Because that path sends user prompts to a cloud service and may mutate remote session state, ambiguous routing increases the risk of unintended disclosure and unintended remote actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to connect automatically to a cloud backend, obtain or mint a token, create a session, and process user media remotely, but the user-facing description does not clearly warn that prompts and uploaded files leave the local environment. This is dangerous because users may share sensitive videos, audio, or images without informed consent, causing privacy and data-handling risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal