ClawHub

Video Hd

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video upscaling/editing skill, but users should know their selected media is sent to a NemoVideo backend.

Install only if you are comfortable sending selected videos, media URLs, and edit prompts to mega-api-prod.nemovideo.ai. Use a dedicated Nemo token if possible, watch credit usage, and avoid uploading private or sensitive footage unless you trust the provider's privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a narrow HD upscaling/export tool, but the implementation exposes a much broader remote video-editing and rendering surface through generic SSE-driven editing, state inspection, upload, credit, and export flows. This mismatch weakens user consent and review assumptions: users may invoke capabilities or send content to a cloud workflow they did not reasonably expect from the manifest description.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Routing 'everything else' to the SSE action creates an overly broad prompt surface that can capture unrelated or ambiguous user input and forward it to a powerful remote backend. This increases the risk of unintended actions, over-collection of user content, and abuse of backend capabilities beyond the user’s expected request.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The setup flow instructs automatic connection to a cloud backend, anonymous token issuance, and session creation, but does not clearly warn users that uploaded videos are transmitted to third-party infrastructure and may remain associated with server-side jobs or sessions. For media content, this is a meaningful privacy and data-handling risk because users may upload sensitive recordings without informed consent about retention and processing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal