ClawHub

Ai Video Dubbing

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-dubbing skill whose remote processing is broadly disclosed and aligned with its purpose, though users should treat uploaded videos and prompts as shared with NemoVideo.

Install only if you are comfortable sending video files, video URLs, prompts, and render/session metadata to NemoVideo's cloud service. Avoid confidential, regulated, or copyrighted media unless you are authorized and trust the provider; use a dedicated NEMO_TOKEN if possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example trigger phrases are very broad and generic, such as requests to 'convert my video files' or 'export 1080p MP4'. In a shared assistant environment, these phrases can overlap with ordinary user requests and cause the skill to activate unexpectedly, potentially routing unrelated files or prompts into this cloud-backed workflow without the user clearly intending to use this specific skill.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table contains an extremely broad fallback rule: 'Everything else' goes to the SSE action. That means nearly any unmatched user prompt may be forwarded to the remote backend, increasing the chance of unintended data transmission, prompt capture, or execution of edits/actions that the user did not mean to perform through this skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Although the document mentions a cloud processing backend, it does not provide a clear user-facing warning that uploaded videos, prompts, and possibly project state are transmitted to a third-party remote service. For media workflows, this is important because videos may contain sensitive personal, corporate, or copyrighted content, and users may not understand that processing is not local.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal