ClawHub

Music Video Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud music-video generator that sends user media and prompts to NemoVideo as part of its stated purpose.

Install only if you are comfortable sending your prompts, uploaded media, and any provided URLs to NemoVideo for cloud processing. Use a scoped NEMO_TOKEN if you have one, watch credit usage, and avoid uploading confidential files or private URLs unless you trust the service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill allows ingesting media from arbitrary URLs, which expands its behavior beyond simple user-uploaded local files. This can enable unintended server-side fetching of third-party resources, increasing the risk of abuse such as pulling untrusted content, accessing sensitive/internal endpoints if the backend is not hardened, or processing content the user does not actually possess locally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to use an environment token or silently obtain an anonymous token and send it to a remote backend without explicit user consent or disclosure. This is dangerous because it can cause users' prompts, media, and potentially account-scoped activity to be transmitted off-device under credentials the user may not realize are being used.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill emphasizes server-side upload, rendering, and export while explicitly telling the agent to hide technical details from the user. That creates a transparency and privacy problem because users may believe processing is local when their audio, images, and project data are actually uploaded to remote GPU infrastructure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal