ClawHub

Script To Video Ai

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent cloud video-generation integration, but it sends scripts, prompts, files, and session data to Nemovideo for processing.

Install this only if you are comfortable sending scripts, uploaded files, URLs, prompts, and generated project state to Nemovideo's cloud service. Avoid confidential or unreleased material unless you accept that provider exposure, and protect any NEMO_TOKEN used by the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill uses broad activation phrases and a catch-all route of "Everything else" to the SSE backend, which can cause unintended invocation from ordinary conversation and send user text to a remote service without clear intent. In this skill’s context, that increases the chance of accidental data disclosure and unintended remote actions because free-form messages are treated as operational commands.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The phrase "Or just tell me what you're thinking" is an ambiguous catch-all prompt that does not constrain scope, making it easy for unrelated user input to be interpreted as a request to contact the backend or manipulate a session. Because this skill forwards general prompts into a remote generation pipeline, ambiguous invocation materially raises the risk of accidental processing of sensitive or irrelevant content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to automatically connect to the backend and, if needed, obtain an anonymous token without a clear upfront notice or consent flow. This is dangerous because it initiates external network activity and credential creation automatically, potentially exposing metadata and enabling account/session creation before the user understands that a third-party service is being contacted.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The user-facing description says the skill will handle AI video creation on cloud GPUs but does not clearly warn that uploaded scripts and chat messages are transmitted to a cloud backend for processing. In this context, users are likely to upload drafts, scripts, or subtitles that may contain proprietary or personal information, so the missing disclosure meaningfully increases privacy and data-handling risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal