ClawHub

Dance Video

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is a coherent cloud dance-video editor, but users should know their selected videos and prompts go to NemoVideo for processing.

Install only if you intentionally want NemoVideo cloud processing for dance footage. Do not upload private, copyrighted, or sensitive recordings unless you are comfortable sharing them with that service, and prefer explicit confirmation before first connection, upload, or export.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill invites activation from very generic phrases like sharing footage or vaguely describing what the user is thinking, which can cause the skill to engage when the user did not clearly intend to send media or start remote processing. In this skill’s context, unintended invocation is more concerning because the workflow includes automatic backend connection and eventual transmission of user prompts and uploaded videos to a third-party cloud service.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The catch-all rule routes 'everything else' into the editing SSE path, making activation boundaries unclear and allowing many unrelated or ambiguous prompts to trigger backend processing. Because this skill sends free-form text to a remote service and may act on uploaded files, broad routing increases the risk of unintended disclosure, unexpected actions, and user confusion about when cloud processing begins.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description emphasizes convenience but does not clearly disclose up front that user videos, prompts, and session data are transmitted to and processed by a remote cloud backend. In a media-processing skill handling personal recordings, that omission can lead users to share sensitive footage without informed consent about third-party processing and storage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal