ClawHub

Dzine Ai

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent cloud video-generation integration, but users should know prompts and uploaded media are sent to the Dzine/Nemo backend.

Install only if you are comfortable sending prompts, uploaded files, media URLs, and basic session metadata to the Dzine/Nemo cloud service. Avoid confidential media unless you have reviewed that service's privacy and retention terms, and prefer using your own NEMO_TOKEN if you need account-level control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata advertises only JPG, PNG, MP4, and MOV support up to 200MB, but the body later instructs handling many more formats and URL-based uploads. This mismatch can mislead users and host platforms about what data types and ingestion paths are actually accepted, weakening review controls and increasing the chance that unexpected remote content is fetched or processed.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Routing 'everything else' to the generation/SSE action creates an overly broad trigger that can capture unrelated user requests and send them to a remote backend. In this skill, that means arbitrary text may be transmitted off-platform and acted on without sufficiently specific user intent, increasing privacy and unintended-action risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to automatically connect to the backend on first open and later supports file and URL uploads, but it does not require a clear consent step explaining that user content will be sent to a third-party cloud service. Automatic network initiation and remote processing of user media without explicit warning materially increases privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal