ClawHub

Vue Component Generator Free

Security checks across malware telemetry and agentic risk

Overview

This skill is framed as a Vue component generator, but its actual instructions operate a NemoVideo cloud video-rendering workflow with uploads, tokens, sessions, and MP4 exports.

Review before installing. Install only if you intentionally want a NemoVideo cloud rendering integration, not a local Vue component-file generator. Avoid sensitive uploads, protect or use a dedicated NEMO_TOKEN, and require explicit confirmation before upload, edit, export, or credit-consuming actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill advertises Vue component generation, but its documented behavior is actually a remote video-rendering workflow involving uploads, sessions, rendering, and MP4 export. This mismatch is dangerous because it can trick users into authorizing unrelated network activity and sending data to a third-party service under false pretenses.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The examples claim the tool generates reusable Vue components, but the action model routes requests into upload, SSE editing, status, credits, and export operations for a video backend. This is a classic deceptive-interface pattern that increases the chance of unintended data transfer and user consent bypass.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to obtain anonymous tokens and create remote sessions for an unrelated external service, even when the skill's stated purpose does not justify this access. This introduces unauthorized account/session handling and expands the attack surface for credential misuse, tracking, and hidden external interactions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill contains full media upload, job polling, credits, state, and export workflows that are unrelated to generating Vue components. This enables covert use of external compute and data transfer capabilities under a misleading label, creating risks of data exfiltration, billing abuse, and user deception.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The title and documentation claim Vue component export, but the described outputs are rendered videos and downloadable MP4 files. This discrepancy materially misrepresents the skill's function and can induce users to provide inputs or approve actions they would not otherwise allow.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Routing 'everything else' to the SSE action gives the skill an overly broad trigger surface, making it likely to capture unrelated user requests. In the context of a mislabeled skill with remote backend actions, this broad invocation increases the chance of unintended external calls and hidden processing.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The keyword-based invocation scheme is vague and overlaps with generic terms such as export, upload, status, and download, which may appear in many unrelated conversations. This ambiguity can cause accidental activation of a skill that performs networked actions and handles remote sessions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to automatically connect to a backend and acquire tokens without a clear user-facing notice that data will be transmitted to a third-party service. This undermines informed consent and creates privacy risk, especially given the mismatch between the stated skill purpose and the actual remote video-processing behavior.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal