ClawHub

Best Subtitles

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real cloud subtitle/video rendering skill, but it gives a remote editing backend broader authority than the subtitle-focused description clearly sets up.

Install only if you are comfortable sending videos, prompts, and generated project state to NemoVideo cloud services. Treat it as a broader remote video-editing skill, not just a caption generator, and avoid using sensitive, confidential, or regulated media unless you have reviewed NemoVideo's handling and retention terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a subtitle tool, but the documentation exposes a much broader remote media-editing and rendering surface, including upload, state inspection, SSE-driven edits, and export workflows. This scope expansion increases the chance that user requests are routed into unintended backend capabilities and can lead to over-collection of user media or misuse of remote actions beyond the user's reasonable expectations.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Routing essentially all unmatched prompts to a generic SSE action creates an overly permissive prompt-to-backend bridge. In this skill, that is especially risky because the SSE endpoint appears to drive a general-purpose remote editing agent, so arbitrary user text may trigger unintended backend operations beyond subtitle generation, increasing the risk of prompt injection, scope bypass, and unsafe remote action execution.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill asks users to upload videos and connect to a cloud processing API, but it does not clearly warn in the primary description that user media will be transmitted to a third-party remote service. For a tool handling potentially sensitive video/audio content, this omission undermines informed consent and can expose private or regulated data to external processing unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal