ClawHub

To Maker Generator

Security checks across malware telemetry and agentic risk

Overview

This cloud video-editing skill appears purpose-aligned, but it needs Review because broad routing could send user prompts or media to NemoVideo services without a clear enough confirmation boundary.

Install only if you are comfortable sending the videos and edit prompts you use with this skill to NemoVideo cloud services. Avoid private, confidential, or client media unless the publisher provides clear retention, access, and deletion terms, and confirm intent before uploads or exports when the request is ambiguous.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The example invocations are very generic (for example, 'export 1080p MP4' and 'convert my raw video clips') and can overlap with ordinary user requests outside a deliberate invocation context. In a skill that uploads media and sends prompts to a remote backend, broad triggering increases the chance of accidental activation, unintended cloud processing, and unintentional disclosure of user media or instructions.

Vague Triggers

Medium
Confidence
98% confidence
Finding
The routing table sends 'Everything else' to the SSE generation/edit path, which is an unsafe catch-all because it can treat unrelated natural language as an editing command. Given that SSE requests transmit user text to a third-party service and may mutate session state, this fallback materially raises the risk of accidental remote processing and unintended actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Although the file later mentions server-side rendering, the initial user-facing description and setup flow do not prominently warn that uploaded clips, prompts, tokens, and session data are sent to a cloud backend. For a media-processing skill, this omission can mislead users about data handling and privacy exposure, especially when personal videos may be uploaded.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal