ClawHub

Subtitle Generator Software

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real cloud subtitle/video workflow, but it needs review because it can automatically connect to a third-party service and route broad prompts or uploaded media there.

Install only if you are comfortable sending selected videos, editing prompts, and project state to NemoVideo's cloud service. Use explicit subtitle/video-processing requests, avoid sensitive or proprietary media unless you trust the provider, and prefer a dedicated token rather than a personal account token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill invites activation from vague phrases like sharing files or discussing ideas, which can cause the agent to invoke the skill during ordinary conversation without clear user intent. Because this skill uploads media to a third-party cloud service, accidental invocation can expose private content and trigger unwanted external processing.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing rule sends "Everything else" related to generating or editing to SSE, creating an overly broad catch-all that can map many normal creative requests into backend actions. In a skill that maintains sessions, uploads files, and can export processed media, this ambiguity increases the chance of unintended remote operations and data disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The user-facing description emphasizes convenience but does not clearly disclose that uploaded videos are sent to a cloud processing API. Users may reasonably assume local handling, so the omission can lead to uninformed sharing of sensitive or copyrighted media with an external service.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The setup flow automatically reuses an existing token or creates an anonymous token without a clear up-front warning to the user. Automatic credential creation and session establishment can surprise users, obscure account linkage or quota consumption, and initiate authenticated activity before informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal