ClawHub

Jupiter Ai Text To Video

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose remote processing fits its purpose, but users should be careful about what files and prompts they send.

Install only if you are comfortable sending selected files, prompts, and render metadata to the NemoVideo/NEMO cloud backend. Avoid confidential or regulated content unless you trust that provider’s privacy and retention terms, keep NEMO_TOKEN private, and ask the agent to confirm before any upload, session creation, or export.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The invocation examples are very broad and generic (for example, phrases like 'generate my text prompts' or 'export 1080p MP4'), which increases the chance the skill activates during ordinary conversation rather than through clear, deliberate invocation. In a skill that uploads content and triggers remote processing, accidental activation can cause unintended transmission of user data to the cloud backend and unexpected API-side actions.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table contains an 'Everything else' catch-all that sends unmatched prompts to the SSE action, meaning nearly any free-form user message could be forwarded to the backend. Because the backend can interpret edits, uploads, and workflow commands, this overbroad routing materially raises the risk of unintended remote actions and disclosure of user content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill says it connects to a cloud processing backend and encourages users to share prompts/files, but it does not clearly warn that uploaded documents and instructions will be transmitted to a third-party remote service for processing. That omission undermines informed consent, especially because supported files can be large documents and the service maintains session state remotely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal