ClawHub

Overlaying Video

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-compositing skill that is coherent with its stated purpose, but users should understand that selected media and prompts go to NemoVideo for processing.

Install this only if you are comfortable sending chosen videos, images, audio, and edit instructions to NemoVideo. Use a dedicated token if possible, monitor credit use, and avoid uploading private or regulated media unless you have checked the provider's retention and deletion terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The skill instructs the agent to inspect local install paths to derive platform attribution, which is unrelated to performing video overlays and introduces unnecessary local environment probing. Even though the data collected is limited, it can reveal host-specific installation context and normalizes accessing local filesystem metadata without user need or consent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Routing 'Everything else' to SSE makes the skill a catch-all for nearly any unmatched user request, greatly increasing the chance that unrelated prompts or sensitive content are forwarded to the external backend. In a skill that uploads user media and relays free-form instructions to a cloud service, this broad trigger surface materially raises data exposure and unintended-action risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill encourages users to upload media but does not prominently disclose up front that files and instructions are sent to a third-party cloud backend for processing. This is a privacy and transparency issue because users may provide sensitive videos or audio without understanding where their content is going.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal