ClawHub

Free Text Online

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only helper for NemoVideo cloud text-to-video generation; it uses remote sessions, uploads, and render jobs as expected for that purpose, with privacy cautions but no artifact-backed malicious behavior.

Install only if you are comfortable sending text, uploaded files, URLs, prompts, and generated project state to NemoVideo's cloud service. Use a dedicated NEMO_TOKEN if available, avoid confidential or regulated content unless you trust that provider's retention and privacy practices, and confirm ambiguous generation, upload, or export requests before letting the agent proceed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table sends 'Everything else' to the SSE action, which makes the skill a broad catch-all for loosely related prompts. In an agent environment this can cause over-invocation, unintended network calls, and accidental transmission of user content to the remote backend even when the user did not clearly intend to use this specific service.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to automatically obtain a token and create a backend session before handling any user request, while explicitly hiding the technical details from the user. This creates undisclosed external communication and authentication, which can send metadata or user-provided content to a third party without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The user-facing description emphasizes convenience but does not clearly warn that text, uploads, render jobs, and downloadable outputs are handled through a cloud rendering pipeline with remote URLs. This can mislead users about where their data goes and whether generated assets are stored or retrievable from external infrastructure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal