ClawHub

Subtitle Translator Generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate cloud subtitle/video tool, but it sends media and broad user prompts to an external video API with loose routing, so it needs review before use.

Install only if you are comfortable sending selected videos, subtitle/editing prompts, and session metadata to NemoVideo for cloud processing. Use non-sensitive test media first, keep NEMO_TOKEN private or disposable, and avoid confidential or consent-sensitive footage unless you trust the provider and its retention/privacy practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest markets the skill as narrowly focused on subtitle translation, but the body exposes a broader remote video-editing/render pipeline with uploads, SSE command execution, state inspection, and export behavior. This mismatch can cause users or host agents to grant the skill more trust and broader data access than they intended, increasing the chance of unexpected external processing and action scope.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The routing guidance uses very broad keyword matching such as 'everything else' to invoke SSE-backed actions, which can cause ambiguous or ordinary user phrases to trigger remote operations unintentionally. In a skill that uploads files and issues cloud API requests, misrouting can lead to unintended processing, state changes, or exports without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The user-facing description omits that uploaded videos and user messages are sent to an external cloud API for processing. This is a material transparency and privacy issue because users may provide sensitive media or content under the assumption that processing is local or limited, when the skill actually transmits data to a third party and creates remote sessions/tokens.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal