ClawHub

Ai Animation Software

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-generation skill that clearly centers on sending user-selected media and prompts to NemoVideo for rendering, with no hidden code or destructive behavior found.

Install only if you are comfortable sending selected images, videos, audio, text prompts, and timeline data to NemoVideo cloud services. Avoid private or confidential media unless you trust the provider’s handling of that content, and be mindful that ambiguous animation-session messages may be sent to the backend.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The skill instructs runtime detection of the local install path to derive `X-Skill-Platform`, and its metadata also references local config paths. Inspecting local filesystem locations unrelated to the user's animation request expands data access beyond what is necessary for core functionality. While the stated purpose is attribution, unnecessary environment probing creates privacy risk and establishes a precedent for local discovery behavior in a cloud-upload skill.

Vague Triggers

Medium
Confidence
79% confidence
Finding
Routing essentially all unmatched requests to the generation/SSE action makes it easy for unrelated user input to be sent to the remote backend. In this skill, the default path can transmit arbitrary prompts and potentially attached context to a third-party API, increasing the chance of unintended data disclosure or unexpected billable actions. The cloud-processing context makes this more dangerous because uploads, prompts, and session state are explicitly persisted and processed remotely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup instructions immediately connect to a remote API, obtain tokens, and create a session before clearly warning users that their prompts and uploaded media will be transmitted to a cloud service. For a skill handling images, videos, audio, and text up to 500MB, the absence of an upfront disclosure undermines informed consent and can lead users to share sensitive media without realizing it leaves the local environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal