ClawHub

Joyfun Ai

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud video-editing skill whose remote processing is coherent with its purpose, but uploaded videos and prompts go to NemoVideo's service.

Install only if you are comfortable sending clips, edit prompts, and session data to NemoVideo's cloud API. Avoid confidential or sensitive footage unless you trust that service's privacy practices, and be aware that first use may create an anonymous token/session and exports may depend on credits or plan limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The routing table sends all unmatched requests to the SSE editing action, which is an overly broad trigger surface for a skill that can upload media, invoke remote processing, and consume user credits. This increases the chance of accidental invocation from ordinary conversation and could cause unintended cloud requests, media processing, or billable actions without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The example invocations and description are broad and overlap with normal conversational requests such as making a video fun or engaging, which can cause the skill to activate when the user did not specifically intend to use this third-party service. In this context, accidental activation matters because the skill transmits user media to a cloud backend and may initiate token/session creation automatically.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill encourages users to send video clips and says processing happens on cloud GPUs, but it does not present a clear, front-and-center warning that uploaded media is transmitted to an external backend service for processing. For user-provided videos, this is a meaningful privacy and data-handling risk because sensitive or personal media may be sent off-device without sufficiently informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal