ClawHub

Free Text No

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill appears purpose-aligned, but its broad catch-all routing could send unrelated user text or media to a cloud backend without clear enough user consent.

Review carefully before installing. Use it only when you intentionally want Nemo or its backend to process your prompt or uploaded media, avoid sharing private or confidential content, and require explicit confirmation before the skill sends ambiguous chat text or files to the remote generation service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill invites users to share broad free-form prompts such as 'tell me what you're thinking,' which can cause the skill to activate on ordinary conversation rather than a clear user intent to use a cloud video-generation service. In practice this can lead to unintended routing of sensitive user text into backend processing, especially because the skill auto-connects and begins remote operations once invoked.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table sends 'Everything else' to the SSE generation/edit path, which is an overly permissive catch-all. That makes accidental invocation likely and increases the chance that unrelated or sensitive conversation text is treated as a video-editing command and transmitted to the cloud service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Although the document mentions a cloud backend, it does not clearly warn users up front that their prompts and uploaded media are sent to a third-party remote service for processing. In a skill that handles free-form text and optional uploads, this omission creates a privacy and consent risk because users may disclose sensitive content without realizing it leaves the local environment.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal