ClawHub

Maker Free Google

Security checks across malware telemetry and agentic risk

Overview

This video-making skill is coherent, but it can automatically connect to a third-party cloud service and process user media or prompts with broad activation rules and limited upfront consent.

Install only if you are comfortable sending selected media files, URLs, prompts, and related metadata to NemoVideo's cloud service. Avoid confidential or sensitive media unless you trust that provider, treat NEMO_TOKEN as a service credential, and do not assume the tool is operated by Google despite the Google-oriented name.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The getting-started prompt is broad enough that ordinary user conversation about images or clips could unintentionally invoke the skill. In an agent environment, this can cause unexpected routing into a workflow that uploads user media and creates remote sessions without sufficiently explicit consent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Example trigger phrases like "create my images or clips" and "turn these images into a 30-second" are highly generic and overlap with normal conversation about media editing. This increases the chance of accidental activation and unintended transmission of user content to the cloud service described later in the skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section instructs the agent to connect to a cloud backend, mint anonymous tokens, create sessions, and process uploaded media, but it does not clearly warn users that their files and prompts will be transmitted to a third-party service. Because the skill handles potentially sensitive images and videos, the lack of a prominent privacy and data-transfer disclosure materially increases privacy and compliance risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal