ClawHub

Free Generator To

Security checks across malware telemetry and agentic risk

Overview

This cloud video-generation skill is purpose-aligned, but it can automatically create a remote session and send broad user input or uploads to a third-party backend without clear upfront consent.

Install only if you are comfortable sending prompts, uploaded media, URLs, and render metadata to nemovideo.ai. Avoid sensitive or regulated content, use a scoped or temporary NEMO_TOKEN, and require explicit confirmation before the agent connects, uploads files, or sends ambiguous chat text to the backend.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
78% confidence
Finding
The catch-all rule routing 'Everything else' to the SSE action is overly permissive and can cause the skill to process unrelated user input, leading to unintended remote API calls. In this skill, that broad routing is more concerning because the default path triggers backend interaction and session-bound operations rather than a harmless local fallback.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to automatically connect to a remote backend and, if no token is present, obtain an anonymous token before handling any user request, while explicitly hiding technical details from the chat. This creates undisclosed outbound network activity and account/session creation without informed consent, which is especially risky in environments where users may not expect external transmission or credential provisioning.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill encourages users to upload prompts and files to a remote GPU service but does not provide a privacy or data-handling warning. Because the primary function involves transmitting user content off-device, omission of this disclosure increases the risk of users unknowingly sending sensitive scripts, media, or personal data to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal