ClawHub

Video Effects

Security checks across malware telemetry and agentic risk

Overview

This video-effects skill appears purpose-aligned, but it needs review because it may send user media to a third-party backend without clear enough disclosure or narrow invocation controls.

Review this skill before installing. Use it only for videos you are comfortable sending to NemoVideo or the named backend, and prefer installing after the publisher adds explicit upload disclosure, narrower trigger phrases, and a confirmation step before any media is transmitted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The suggested trigger phrases are broad and conversational enough that the skill may activate on ordinary user messages rather than clear opt-in commands. In a skill that uploads media and connects to a remote backend automatically, overly loose invocation increases the chance of unintended processing or disclosure of user files.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The catch-all rule routes 'everything else' into the editing/SSE path, which is too ambiguous for a high-impact skill handling user media and cloud actions. This can cause accidental invocation from general conversation and may send unintended user text or workflow actions to the third-party backend.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The public description emphasizes convenience but does not clearly warn that user videos are uploaded to and processed by a remote third-party service. Because videos can contain sensitive personal, biometric, location, or confidential content, lack of upfront disclosure undermines informed consent and can lead to unexpected data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal