ClawHub

Podcast Video Free

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud podcast-video converter, but selected media, prompts, and render metadata are sent to NemoVideo for processing.

Install only if you are comfortable sending selected audio/video files, URLs, prompts, and render metadata to NemoVideo cloud services. Avoid confidential or unreleased recordings unless you trust that provider, keep NEMO_TOKEN private, and let renders finish to avoid leaving remote jobs orphaned.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The getting-started prompt invites users to simply share files or vague intent, and the skill is configured to automatically connect to a remote processing API on first interaction. That combination makes accidental invocation plausible during ordinary conversation and can lead to unintended transmission of user media or initiation of external actions without sufficiently explicit consent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Example phrases like "convert my audio or video files" and "export 1080p MP4" are generic requests that may appear in normal user conversations outside the intended skill context. Because the document also instructs automatic setup before doing anything else, these broad triggers increase the chance of misrouting benign conversation into the skill and causing unintended external API usage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The upfront user-facing text asks users to share audio or video files but does not clearly disclose that those files will be uploaded to and processed by a cloud API operated by an external service. This weakens informed consent and can expose sensitive media, transcripts, or embedded personal data to a third party before the user understands where their content is going.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal