ClawHub

Viral Reels

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose network use and media upload behavior are disclosed and fit its purpose, though users should treat uploaded media as shared with a third-party service.

Install only if you are comfortable sending selected media files, edit prompts, session data, and render jobs to mega-api-prod.nemovideo.ai. Avoid uploading private, regulated, or confidential footage unless you trust that service's handling of it, and review token/account behavior before relying on free credits, export, or paid features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill advertises itself as a video-reel tool for a narrow set of video formats, but the implementation documentation accepts many additional media types including images and audio. This expands the skill’s effective data-handling scope beyond user expectations and weakens input-boundary controls, increasing the chance of unintended ingestion of sensitive or unsupported content.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The skill performs automatic anonymous token acquisition and session creation against a third-party backend without a clear upfront consent step. This creates hidden authentication and tracking behavior, and could cause users to unknowingly interact with an external service under automatically provisioned credentials.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The catch-all routing rule sends nearly any editing-related prompt to this skill, which can cause over-broad activation and unintended transmission of user requests or media to the external backend. Poorly bounded invocation logic increases the risk of accidental data disclosure and misuse outside the user’s intended task scope.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill does not clearly warn users at the point of use that uploaded media and prompts are sent to a third-party cloud backend for processing. For a media-editing skill handling potentially sensitive videos, this omission materially undermines informed consent and can expose private content, metadata, or personal information to an external processor.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal