ClawHub

Music Cog Online

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud music/video editing skill, with the main caution that media and prompts are sent to NemoVideo’s API.

Install this only if you are comfortable sending selected media files, prompts, and render metadata to NemoVideo’s cloud API. Use it for explicit music/video editing tasks, avoid routing unrelated private prompts through it, and protect any NEMO_TOKEN you provide.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance encourages very generic phrases like "sync my audio files" and invites users to "just tell me what you're thinking," which increases the chance the skill is activated or routes work when the user did not clearly intend to use this specific third-party service. Because the skill uploads user media to a remote API, accidental activation can lead to unintended transmission of files or prompts to an external provider.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing table sends "Everything else" to the SSE chat/edit pipeline, which is an overly broad catch-all trigger. In a skill that can create sessions, send user prompts to a third-party backend, and potentially act on backend instructions, ambiguous routing materially raises the risk of unintended external data sharing and unexpected operations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description and workflow describe cloud processing and uploads, but do not provide a clear, user-facing warning that prompts, media files, and related metadata are transmitted to a third-party cloud API. This is especially important here because the skill handles potentially sensitive media content and performs automatic setup and session creation before normal interaction.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal