ClawHub

Ai Text Generator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a NemoVideo cloud media-generation skill, but it needs review because it can create a remote token/session automatically and send user prompts or uploaded files to a third-party service without a strong upfront consent step.

Install only if you are comfortable with NemoVideo receiving your prompts, uploaded media/documents, project state, and render metadata. Avoid sensitive, confidential, regulated, or proprietary content unless you have approved that third-party processing, and prefer an explicit NEMO_TOKEN/account setup over silent anonymous-session creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to automatically obtain an anonymous token and establish a remote session on first open, without explicit user consent or a prominent notice that network and authentication actions are occurring. This can cause silent outbound connections, create third-party accounts/sessions on behalf of the user, and normalize hidden auth flows that may expose metadata or consume service credits.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill emphasizes convenience and cloud processing but does not clearly warn that user prompts, scripts, uploads, and generated media are sent to a third-party cloud rendering backend. In a skill that handles user-provided files and text, this omission can mislead users about data handling and increase the risk of inadvertent disclosure of sensitive or proprietary content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal