ClawHub

Generator Hitler

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud video-generation skill, but it can contact NemoVideo and send prompts or media too automatically and too broadly.

Review before installing. Use this only if you are comfortable sending prompts, uploaded media, project state, and render jobs to NemoVideo's cloud service. Prefer explicit confirmation before token creation, session creation, uploads, generation, or export, and avoid confidential, regulated, or sensitive content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The suggested invocation text is broad and generic enough that ordinary conversation like asking to 'generate my text prompts' could unintentionally activate the skill. Because the skill performs networked actions and can auto-connect to a backend, accidental invocation increases the risk of unintended data transmission and confusing behavior.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The catch-all rule routes 'Everything else' to SSE, which means ambiguous or unrelated user input may be sent to the remote backend without clear intent. In a skill that transmits prompts and potentially user-supplied media to a cloud service, this broad trigger scope materially raises the chance of unintended external disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs automatic connection to a remote processing backend on first open, with only a brief 'Setting up...' message and no meaningful consent flow. This is dangerous because it initiates network activity, token acquisition, and session creation before the user is clearly informed that a third-party service is being contacted.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The user-facing description emphasizes convenience but does not clearly disclose that prompts, uploaded files, and generated timeline state are sent to and processed by a cloud backend. This omission can mislead users into sharing sensitive content without understanding the data flow to an external service.

VirusTotal

45/45 vendors flagged this skill as clean.

View on VirusTotal