ClawHub

Maker Text Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video text-overlay helper that sends selected media to NemoVideo as part of its stated purpose, with some scoping and transparency caveats.

Install only if you are comfortable sending chosen videos, prompts, and related media metadata to NemoVideo for cloud processing. Use a limited NEMO_TOKEN where possible, avoid sensitive or regulated footage, and ask the agent to confirm before uploads, URL ingestion, edits, or exports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation phrases are very generic, such as 'generate my video clips' and 'export 1080p MP4', which can overlap with ordinary conversation. In an agent environment, broad triggers can cause accidental activation of this skill and unintended transmission of user content or initiation of remote API actions.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing rule sends 'Everything else' related to generate/edit/add BGM to SSE, which is an overly broad catch-all for a remote backend. This increases the chance that unrelated user instructions are interpreted as commands and forwarded externally, potentially exposing user data or causing unintended media operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to establish a backend connection and process uploaded videos on a remote API, but it does not clearly warn users that their media will be transmitted to a third-party service. For a video-processing skill handling potentially sensitive uploads, missing disclosure undermines informed consent and creates privacy and data-handling risk.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The session is created with language hard-coded to 'en' without checking user preference. While not a severe security issue, this can cause misprocessing of non-English content and inadvertent mishandling of user data or outputs, especially in multilingual contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal