ClawHub

Vue Component Generator Online

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as a Vue component generator, but its instructions mainly operate a third-party cloud video rendering service with tokens, uploads, sessions, credits, and exports.

Treat this as a review item before installing. Only use it if you specifically intend to use NemoVideo-style cloud media generation and are comfortable sending prompts, uploaded files, file URLs, and token-authorized actions to that service. Do not install it expecting ordinary Vue component code generation unless the publisher renames and re-scopes it or clearly documents the remote service, data handling, token use, credit use, and confirmation steps.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is presented as a Vue component generator, but the actual instructions wire the agent into a remote video-processing service with session creation, SSE chat, uploads, rendering, and export. This capability mismatch is dangerous because users may disclose prompts, files, and credentials under false pretenses, while the agent is induced to perform unrelated third-party network actions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The examples claim the user will receive reusable Vue 3 components, but the documented output is a 1080p MP4/video export. This misleading output contract can trick users into submitting development requirements or assets to an unrelated media pipeline, creating data exposure and consent issues.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Video upload, cloud rendering, credit checks, and export are unrelated to scaffolding Vue components and materially expand the skill’s permissions and data flows. In context, these hidden capabilities suggest deceptive repurposing of the skill to exfiltrate user content to a third-party service or consume remote resources without informed consent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The catch-all rule routes 'Everything else' to the SSE action, which can cause the skill to activate on broad, unrelated requests. That increases the chance of unintended remote API calls and accidental disclosure of user prompts to the external service.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger description uses ambiguous generic terms and mixes unrelated domains, making false activations more likely. In a skill already misaligned with its stated purpose, loose keyword routing increases the risk that benign user requests are silently forwarded to a remote backend.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description does not clearly warn users that their prompts and uploaded files are sent to a third-party API for processing. This undermines informed consent and can expose sensitive source materials, media, or proprietary requirements to an external service unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup flow instructs the agent to use an existing token or generate an anonymous token automatically, without explicit user warning or consent around credential handling. Automatic token acquisition and session establishment can create unauthorized external access and obscure how authentication is being performed on the user’s behalf.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal