ClawHub

Free Maker Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video/text generation helper that discloses its backend API use and credential needs, with no evidence of deception or destructive behavior.

Install only if you are comfortable sending prompts, files, URLs, and render session data to NemoVideo's cloud API. Do not upload confidential media or documents unless that service is approved for your use, and keep NEMO_TOKEN scoped to this service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill’s declared purpose is simple media-to-video generation, but the documented behavior expands to arbitrary URL ingestion and ongoing remote session/account operations against a third-party service. This mismatch reduces informed consent and can cause users to unknowingly send external content, prompts, and session data to a cloud backend beyond what the manifest implies.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The skill instructs runtime inspection of local install paths to infer platform identity, which is unrelated to core media generation. Reading local path structure leaks host-environment metadata and creates unnecessary host introspection behavior that can aid fingerprinting or future targeted abuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The getting-started flow encourages users to send files immediately, but it does not clearly warn that media and prompts are transmitted to a remote third-party cloud service for processing. This undermines meaningful consent and may lead users to upload sensitive images, videos, or proprietary content without understanding the data flow.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill relies on the sensitive `NEMO_TOKEN` environment variable for authentication but does not clearly disclose that it will access and use this credential. Lack of transparency around credential use increases the risk of user misunderstanding and makes it harder to assess whether third-party authentication is appropriate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal