ClawHub

Free Generator Editor

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-editing connector that sends user-provided prompts and media to NemoVideo as part of its stated purpose, with privacy and consent caveats but no evidence of hidden or destructive behavior.

Install only if you are comfortable using NemoVideo cloud processing. Do not upload confidential videos, images, audio, or prompts unless you trust that provider’s handling of the data, and protect any NEMO_TOKEN because it can authorize use of the associated credits or session until it expires.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The catch-all routing rule sends essentially all unmatched prompts to the remote editing backend, which can cause unintended data disclosure and surprising network actions for unrelated user requests. In a conversational agent context, overly broad invocation increases the chance the skill captures prompts that were not meant for this service and transmits them off-platform.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to automatically connect to a remote backend on first open, including obtaining an anonymous token, before meaningful user consent to network activity is established. This is risky because it initiates external communication and account/session creation as a side effect of opening the skill, which may violate user expectations and privacy requirements.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The description encourages users to drop video clips or images into chat for cloud processing but does not provide a clear upfront privacy warning that media will be uploaded to a remote service. Users may unknowingly transmit sensitive recordings, photos, audio, or embedded metadata to a third party without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal