ClawHub

Free Free Generator

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud video-generation skill, but it can automatically connect to a third-party service and send broad prompts or uploads without a clear consent step.

Install only if you are comfortable sending prompts, uploaded media, and session data to nemovideo.ai for cloud processing. Avoid confidential, private, regulated, or client-owned media unless you have reviewed the service and accept the automatic token/session behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad and include generic language like "generate my text or images," which can cause the skill to activate for ambiguous user requests not clearly intended for this backend. Because the skill also auto-connects and may transmit user content to a remote service, accidental invocation can lead to unintended data disclosure and surprising external actions.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table sends "Everything else" to the SSE generation path, which is an overly permissive catch-all for a skill that can upload content, create sessions, and send user text to a third-party API. This ambiguity increases the chance that unrelated or partial user messages are treated as generation commands and forwarded externally without sufficiently explicit consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs automatic backend connection on first open and obtaining an anonymous token, but it does not prominently warn users that their prompts/files will be transmitted to an external service. This undermines informed consent and can expose sensitive text, images, or metadata to a third party unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal