ClawHub

Caption Generator Adobe

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud captioning tool, but it asks the agent to send broad media-editing requests and user files to a third-party backend with weak upfront consent and scope controls.

Install only if you are comfortable sending your videos, prompts, and possibly image or audio files to NemoVideo for cloud processing. Confirm uploads, exports, anonymous token creation, and any non-caption editing request explicitly, and avoid private, regulated, or confidential footage unless you have reviewed the service's privacy and retention terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest frames the skill as a narrow captioning tool, but the documentation exposes a broader media editing and rendering pipeline, including uploads, state inspection, SSE-driven edits, credits, and export workflows. This capability mismatch can cause users and host platforms to grant trust or permissions under a narrower expectation than what the skill actually does, increasing the risk of unintended data handling and policy bypass.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Routing 'everything else' to the SSE backend makes the skill overly greedy and allows a wide range of unrelated or ambiguous user prompts to be sent to a third-party cloud service. This expands data exposure and increases the chance of unintended actions, especially because the backend appears to support general editing operations beyond simple caption generation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to connect to a cloud backend and upload video/prompt data, but it does not clearly warn users up front that their files and instructions are transmitted to an external service. For media files, this can expose sensitive visual, audio, or metadata content without meaningful informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal