ClawHub

Text To Video Editor

Security checks across malware telemetry and agentic risk

Overview

This cloud video skill sends prompts and uploaded media to a remote rendering service, which fits its purpose but requires care with sensitive content.

Install only if you are comfortable sending selected prompts, scripts, and media files to the NemoVideo remote service. Avoid confidential, regulated, or private content unless you trust the provider's terms, keep NEMO_TOKEN private, and use explicit video-related requests so unrelated conversation is not forwarded by accident.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The suggested invocation phrases are very short and generic, such as "convert my text script" and "export 1080p MP4," which can overlap with ordinary user conversation. This increases the chance of unintended skill activation or routing, especially in environments where multiple skills compete for similar language, potentially causing accidental uploads, session creation, or remote processing.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table includes a catch-all rule sending "Everything else" to the SSE action, which is overly broad and can capture unrelated prompts. In this skill, that broad routing is more concerning because the default action transmits user text to a remote backend, creating a risk of unintended data disclosure and unexpected external API usage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages users to upload scripts and files for processing but does not provide a prominent user-facing warning at the point of use that content is sent to an external cloud service. Because uploads may include sensitive documents up to 500MB and processing occurs on remote GPU nodes, users may unknowingly disclose confidential or regulated information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal