ClawHub

Tiktok Add Music To

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real cloud video-editing skill, but it needs review because it can create NemoVideo sessions and send user media or prompts to a remote backend without clear consent, retention, or scoping safeguards.

Review this before installing if your videos, audio, images, or prompts may contain faces, voices, locations, client data, or confidential material. Use a dedicated NemoVideo token, check the vendor's retention and deletion terms, and confirm what will be uploaded before asking the skill to process or export media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation examples are extremely broad and generic, such as 'export' and 'add my video clips', which could cause the skill to activate on ordinary conversation unrelated to this specific tool. In a skill ecosystem, overbroad triggers can lead to unintended routing of user content, including media uploads or editing requests, to a third-party cloud backend without sufficiently clear intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The catch-all rule routes 'Everything else' to the SSE backend, making activation boundaries ambiguous and allowing many unrelated user requests to be sent to a remote service. This increases the chance of accidental disclosure of user prompts or files to the vendor backend and creates unclear consent around cloud processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill clearly uploads user videos to a cloud processing backend and creates remote sessions, but it does not present a clear privacy notice, retention statement, or explicit consent flow before transfer. Because user videos may contain faces, voices, locations, or other sensitive content, silent remote processing materially raises privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal