ClawHub

Recorder Free

Security checks across malware telemetry and agentic risk

Overview

This is a cloud-backed video/text generation skill whose remote API use and token handling mostly match its stated purpose, with privacy caveats users should understand.

Install only if you are comfortable sending prompts, uploaded files, and project state to NemoVideo's cloud service. Use a dedicated NemoVideo token, avoid private or regulated media unless you trust the provider's retention and privacy practices, and be aware that ambiguous prompts may be treated as editing requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to derive X-Skill-Platform from local install paths such as ~/.clawhub/ and ~/.cursor/skills/, which fingerprints the user's local environment for a purpose not required to edit videos. This creates unnecessary local-information access and leaks platform metadata to a remote service, increasing privacy risk and normalizing collection of host context unrelated to the requested task.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Routing 'Everything else' to the editing/SSE action is overly broad and can cause unrelated user inputs to be forwarded to the remote backend without clear intent. In practice, this increases the chance of accidental data disclosure, unexpected remote processing, and misuse of the skill outside its advertised scope.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill tells the agent to connect to a remote API, create sessions, and process user uploads and prompts in the cloud, but it does not clearly warn users that their media and instructions are sent off-device. For a skill handling potentially sensitive recordings, lack of transparent disclosure materially increases privacy and compliance risk.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The metadata declares use of an environment token and local config paths, but the skill does not clearly inform users that local credentials/configuration may be consulted during operation. Even if limited to reading a token path or env var, undisclosed access to local auth material weakens transparency and can surprise users about what local context is being used.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal