ClawHub

Add Music Ai

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill fits cloud video editing, but it auto-connects to a third-party service and uses overly broad routing that could send unrelated prompts or sensitive media without clear user control.

Review before installing. Use this only if you trust nemovideo.ai with uploaded videos, prompts, session state, and render data. Avoid sensitive media, and require explicit confirmation before setup, upload, or export when using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The skill instructs runtime detection of the local installation path to infer the host platform and then transmits that information in request headers. That data is not necessary for adding background music to videos, so it creates avoidable environment fingerprinting and metadata disclosure to a third-party service. In this context the impact is limited, but it is still an unjustified privacy leak.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The routing rule sends essentially all unmatched prompts to the editing SSE action, which can cause unrelated or ambiguous user input to be forwarded to the remote backend. This broad delegation increases the chance of unintended data disclosure, accidental action execution, and prompt-to-tool misuse because user text that was not clearly intended for the service may still be transmitted and acted on.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill automatically connects to an external API and may obtain an anonymous token on first interaction without a user-facing notice or consent flow. This silently initiates third-party communication and credential creation, which is a privacy and transparency issue, especially because users may not expect remote account/session establishment just by interacting with the skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill describes uploading user videos and processing them through a cloud rendering pipeline without an explicit warning that media files will be transferred to a remote service. Video files often contain sensitive visual content and metadata, so failing to disclose remote transfer meaningfully undermines informed consent and may expose private material to third-party processing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal