ClawHub

Ai Video Marketing Automator

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud video-editing skill, but it needs review because it can automatically connect to Nemo's backend and send broad prompts or uploaded media there without a clear consent step.

Install only if you are comfortable sending video files, prompts, timeline state, and render data to Nemo's cloud service. Avoid using it with confidential client footage, unreleased products, private recordings, or regulated content unless you have confirmed the service's retention and privacy terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation examples and positioning are broad enough to match common requests about converting footage or creating promotional videos, which can cause the skill to trigger in situations where a user did not clearly intend to invoke this specific cloud-connected skill. Because the skill can upload user-provided media and initiate remote processing, over-broad invocation increases the chance of accidental data transfer and unintended third-party service use.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table includes a catch-all rule that sends 'Everything else' to the SSE action, meaning nearly any unmatched prompt could be forwarded to the remote backend. This is dangerous because arbitrary user text, including sensitive or unrelated content, may be transmitted off-platform and could trigger unintended edits, uploads, or processing behavior without sufficiently specific user consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Although the file mentions a cloud backend and server-side rendering elsewhere, the user-facing setup/description area does not present a clear, prominent warning that uploaded footage will be sent to a remote third-party service. For a skill handling potentially sensitive video content, insufficient disclosure can lead users to share proprietary or personal footage without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal