ClawHub

Dreamina Seedance

Security checks across malware telemetry and agentic risk

Overview

This cloud video-generation skill is coherent and disclosed, but users should treat uploaded photos and the NemoVideo token as sensitive.

Install only if you are comfortable sending selected photos, prompts, media, and generated outputs to NemoVideo/Dreamina cloud services. Do not upload sensitive images or images of people without consent, and use a token/account whose credit usage you are willing to expose to this workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing table sends "Anything else" to the SSE pipeline, which makes the skill activate on a very broad set of unrelated user inputs. In practice this can cause accidental handling of prompts, unintended uploads/processing, and surprise transmission of user content to the remote backend.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description encourages users to upload photos of a person but does not clearly warn that those images are sent to an external cloud service for processing. This creates a privacy risk because users may share sensitive biometric or personal imagery without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The backend section documents remote GPU processing, uploads, SSE messaging, and export through external endpoints, but it does not present this as a clear warning to the user at the point of use. That omission increases the chance that sensitive images, media, and generated outputs are sent off-device unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal