ClawHub

Magic Light Ai

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent cloud video-lighting skill, with privacy considerations because user media is sent to NemoVideo for processing.

Install only if you are comfortable sending videos, images, or referenced media URLs to NemoVideo’s cloud API. Avoid uploading sensitive or private footage unless you trust the service’s retention and privacy practices, and prefer explicit confirmation before using remote URL ingestion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a user-upload video processor, but it also supports server-side ingestion from arbitrary URLs without clearly disclosing that behavior. This can enable unexpected third-party fetching of remote content, increasing risks around SSRF-like backend abuse, privacy issues, and user misunderstanding about what data sources the service will access.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Routing nearly any unmatched message into the main SSE pipeline creates an overly permissive command surface. In this skill's context, that means arbitrary or ambiguous user input may be sent to a powerful backend editor, increasing the chance of unintended actions, prompt-injection-style misuse of backend instructions, or execution of operations outside the advertised scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends uploaded media to a third-party cloud GPU service, but the user-facing description does not prominently warn about that external transfer. This is a real privacy and trust issue because users may upload sensitive footage under the assumption processing is local or first-party, especially given the marketing emphasis on simplicity rather than data handling.

VirusTotal

No VirusTotal findings

View on VirusTotal