ClawHub

Video Cv Maker Free

Security checks across malware telemetry and agentic risk

Overview

This skill appears to make video resumes through an external cloud service, but it under-discloses that resumes and photos may be uploaded and tells the agent to hide backend/token details from the user.

Install only if you are comfortable sending resume content, photos, and generation prompts to the external video backend. Ask for an explicit privacy notice, confirm whether an anonymous token or your own token will be used, and avoid uploading sensitive personal details unless you understand retention and deletion terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill is not limited to transforming user-provided content into a video CV; it also instructs the agent to obtain anonymous tokens, manage sessions, and check credits. That expands the skill into account/bootstrap and quota-management behavior against an external service, increasing abuse potential and enabling use of third-party resources without explicit user understanding or consent.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The documented export support includes many general-purpose media formats such as avi, webm, mkv, jpg, png, gif, webp, mp3, wav, and aac, which is broader than a narrowly scoped video-CV maker. This scope creep can let the skill act as a generic media conversion or file-processing front end, increasing the chance of unintended or policy-violating use.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description includes broad phrases like creating content from text or photos and quick social content, which can match many ordinary media-editing requests beyond the named skill purpose. Overbroad invocation language raises the risk of accidental triggering and silent routing of unrelated user content to an external backend.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The example phrase 'creating a video resume to send to employers for job seekers' is vague and not phrased as a concrete user command, making intent classification less precise. Ambiguous exemplars increase the chance the skill activates on loosely related employment or media requests.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly directs the agent to establish backend connections, obtain or mint tokens, and then hide those technical details from the user. Because the skill processes sensitive resumes and headshots through an external API, concealing the transmission and credential handling materially undermines informed consent and creates privacy and trust risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill invites users to upload resumes and photos, both of which commonly contain sensitive personal and biometric information, yet provides no clear privacy or data-handling warning. In this context, omission of disclosure is dangerous because users may unknowingly send PII to a third-party cloud rendering service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal