ClawHub

Linkedin Video Maker

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose network, token, upload, and rendering behavior is disclosed and aligned with making LinkedIn videos, though users should understand it uses a third-party backend.

Install only if you are comfortable sending prompts, uploaded videos or images, URLs, editing state, and render jobs to the NemoVideo cloud backend. Treat NEMO_TOKEN like a password, use media you are allowed to upload, and review exported videos before posting them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The routing guidance sends nearly all unmatched prompts to the SSE backend, which increases the chance that unrelated or ambiguous user input is forwarded to a remote service without clear user intent. In a skill that uploads media and maintains editing state, broad fallback behavior can cause unnecessary network transmission, unintended job execution, and accidental disclosure of user content or prompts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically connect to the remote backend and obtain a token/session on first open, but it does not require a prominent user-facing notice that network requests and identifiers will be transmitted. This is risky because users may not realize that opening the skill initiates external communication and account/session creation before they explicitly choose to upload content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal