ClawHub

4k With Session

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that should be reviewed because it promises 4K exports while its own pipeline says exports are capped at 1080x1920, and it connects to a third-party service automatically.

Review before installing. Use it only if you intend to send video, prompts, and project state to NemoVideo cloud services, avoid sensitive footage unless that is acceptable, use a revocable NEMO_TOKEN if possible, and verify the real export resolution before relying on the advertised 4K capability.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill advertises 4K output in its manifest, but the documented backend render pipeline later states output is capped at 1080x1920. This is a true integrity/deception issue because users may upload large source media or rely on the skill for a capability it cannot actually provide, leading to misuse of time, bandwidth, and potentially paid credits or subscription decisions based on false claims.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation tells users they can download a 4K MP4, but a later section says cloud export is limited to 1080x1920. This inconsistency is a real security/trustworthiness problem because it can mislead users into sending high-value media to a remote service under false expectations, especially in a workflow involving uploads, sessions, and cloud processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to connect to a remote API and acquire tokens on first interaction before doing anything else, yet the description does not clearly disclose that user prompts, files, and session data will be transmitted to a third-party cloud service. This is dangerous because users may unknowingly expose private or sensitive media and metadata without meaningful informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal