ClawHub

Infinite Talk Ai

Security checks across malware telemetry and agentic risk

Overview

This cloud video skill appears to do what it advertises, but it can contact a third-party backend automatically and has broad routing that may send prompts or uploaded media with less user control than expected.

Install only if you are comfortable sending selected images, video, audio, prompts, session data, bearer-token requests, and coarse platform attribution to NemoVideo's cloud service. Avoid sensitive personal, client, or proprietary media unless you trust that provider's privacy and retention practices, and use clear media-generation commands rather than vague chat while the skill is active.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to derive and transmit `X-Skill-Platform` from the local install path and attach attribution headers on every request. That data collection is not necessary to generate talking-avatar videos and exposes local environment metadata to a third-party service, enabling avoidable fingerprinting and telemetry correlation across users and platforms.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The suggested invocation language is broad enough that ordinary conversation like sharing media and saying 'get started' could activate the skill unintentionally. Because this skill uploads files and prompts to a remote backend, accidental triggering can cause unintended transmission of user content to an external service.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Example phrases such as 'generate my images or video' and the truncated 'make this photo talk using my' are too vague to reliably distinguish intentional skill use from normal requests. In this context, vague triggers are risky because they can start authentication, session creation, or uploads to a cloud service without clear user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill prominently encourages users to drop images or video into chat and states it will handle generation on cloud GPUs, but it does not present a clear up-front warning that uploaded media, audio, and prompts are sent to a remote third-party backend. This weak disclosure is especially concerning because users may share sensitive personal images, voice recordings, or proprietary media.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal