ClawHub

Free Music Ai Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud media-generation integration that sends selected videos, images, prompts, and render jobs to NemoVideo, with some overbroad routing users should understand before use.

Install only if you are comfortable sending chosen media files, URLs, prompts, and render jobs to NemoVideo for cloud processing. Use a dedicated or limited NEMO_TOKEN where possible, avoid sensitive or regulated media unless you trust the provider, and ask the agent to confirm before uploading files, fetching URLs, or consuming account-linked credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance is broad enough that ordinary user phrases like 'generate my video or images' may trigger remote actions without clear confirmation of user intent. In a skill that uploads media and creates backend sessions, ambiguous triggering increases the chance of unintended data transfer or service usage.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The catch-all rule routes 'everything else' into the SSE action, which can send arbitrary user text to a remote backend for processing. Because the fallback is so permissive, normal conversation or unrelated text could cause unintended remote actions, data disclosure, or consumption of credits/services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill encourages users to upload videos or images to a third-party backend but does not clearly warn that files will leave the local environment and be processed remotely. This creates privacy and data-handling risk, especially for sensitive or proprietary media, because users may not realize their content is being transmitted off-platform.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The instructions direct the skill to use an environment token or acquire a backend token without clearly disclosing credential use to the user. While this is not credential exfiltration, silent use of local secrets or automatic account-linked authentication can violate user expectations and lead to unintentional service consumption.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal