ClawHub

Music Visualizer Video Maker Free

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud music-visualizer skill, but users should understand that audio, prompts, drafts, and renders go to Nemo Video's remote API.

Use this skill only if you are comfortable sending your audio files, text prompts, project state, render metadata, and resulting video jobs to mega-api-prod.nemovideo.ai. Prefer the anonymous or revocable token flow when possible, avoid uploading unreleased or sensitive media unless you trust the service's privacy practices, and verify that any broad edit prompt is meant for the visualizer before allowing it to process remotely.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The startup prompts and first-run behavior are broad enough that ordinary conversation or simply sharing files can automatically trigger authentication and connection to a third-party service. This creates a real risk of unintended activation and background network actions before the user has clearly consented, especially because the skill is designed to immediately connect 'before doing anything else.'

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table includes an 'Everything else' catch-all that sends most unmatched input into the SSE editing pipeline. In practice, this means unrelated or ambiguous user text could be forwarded to the remote backend, causing unintended processing, disclosure of user content to the service, or surprise credit/session consumption.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill mentions server-side rendering, but it does not present a clear upfront privacy warning that uploaded audio, project drafts, session data, and render metadata are transmitted to a remote third-party service. Because users may share unpublished or sensitive media, the omission undermines informed consent and increases the risk of accidental data exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal