ClawHub

Maker Free Browser

Security checks across malware telemetry and agentic risk

Overview

This video-making skill appears purpose-aligned but needs review because it can automatically connect to a remote NemoVideo backend and may upload user media without clear upfront consent.

Review before installing. Use it only if you trust nemovideo.ai and are comfortable sending selected clips, audio, prompts, and session metadata to its cloud backend. Ask the agent to confirm before creating tokens, uploading media, or starting exports, and avoid confidential or regulated media unless cloud processing is authorized.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The phrase inviting users to simply share clips or vague ideas is broad enough to activate the skill during ordinary conversation, increasing the chance of unintended routing. In a skill that uploads media and initiates remote processing, accidental activation can cause privacy-impacting actions or confusing side effects without clear user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Example trigger phrases like 'create my video clips' and 'turn my clips into a finished' are overly generic and could match many normal editing-related requests not intended for this specific skill. Because this skill connects to an external backend and may start authenticated cloud actions, vague triggers raise the risk of unintended data transfer and unexpected task execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Although later sections mention server-side rendering, the user-facing description does not prominently warn that uploaded media is sent to a remote cloud backend for processing. Users may reasonably believe 'in browser' means local-only handling, so the omission creates a meaningful privacy and consent risk for uploaded videos and audio.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal