ClawHub

Professional Generator Free

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill that uploads selected media to NemoVideo and uses a provider token, with some broad routing language users should treat carefully.

Install only if you are comfortable sending chosen videos, images, audio, URLs, and editing prompts to the NemoVideo cloud service. Keep NEMO_TOKEN private, watch credit usage, and invoke the skill deliberately for cloud video work rather than casual editing discussion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The example invocations are extremely broad and overlap with ordinary user requests such as 'export 1080p MP4' or 'generate my raw footage', making accidental or unintended activation likely. In an agent environment, ambiguous triggers can cause the skill to intercept unrelated prompts and initiate external network actions, token acquisition, session creation, or file-processing workflows without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
98% confidence
Finding
The catch-all rule routes essentially all remaining prompts ('Everything else') into the SSE editing path, which is overly permissive for a skill that can upload media, create sessions, consume credits, and send data to a third-party backend. This broad matching significantly increases the risk of prompt hijacking, accidental activation, and unintended disclosure of user content to the remote service, especially because ordinary conversation about editing could be misclassified as a command.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal