ClawHub

Motivation Video

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that is purpose-aligned and disclosed, but users should understand that prompts and media are sent to NemoVideo.

Install this only if you are comfortable sending video/audio files, media URLs, editing prompts, and render metadata to NemoVideo for cloud processing. Avoid using private, client, copyrighted, or sensitive clips unless you have permission and are comfortable with that external processing; protect any NEMO_TOKEN value.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger guidance says users can simply share clips or vaguely describe what they are thinking, which is broad enough to activate the skill during ordinary conversation or unrelated media-sharing. That can cause unintended routing of user content into this skill and, because the skill uploads media/prompts to a remote backend, may expose data the user did not intend to send.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The example trigger phrase 'create my video clips' is too vague to unambiguously indicate a motivational-video editing request. Overly generic examples increase the chance of accidental invocation, leading to unintended cloud processing, token use, and possible transmission of user media to the external service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends uploaded videos, prompts, and session data to a third-party cloud backend, but the user-facing setup and description do not clearly warn users before data transfer occurs. This is dangerous because users may share sensitive or copyrighted media without informed consent, and anonymous token/session creation further obscures that remote processing and persistence are happening off-device.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal