ClawHub

Free Video Maker Easy

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-making skill, but users should understand their selected media and prompts are sent to NemoVideo for processing.

Install only if you are comfortable sending selected videos, images, audio, URLs, and editing prompts to mega-api-prod.nemovideo.ai for cloud processing. Use non-sensitive media unless you trust that service's privacy and retention practices, and do not share your NEMO_TOKEN in chats, logs, or screenshots.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Low
Confidence
81% confidence
Finding
The skill instructs reading local install path and configuration context to derive attribution/platform data, which exceeds what is needed for simple video rendering. Accessing local path and config information can expose host environment details and normalize unnecessary local inspection, increasing privacy and fingerprinting risk.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation guidance is broad enough that ordinary conversation like sharing clips or discussing ideas could trigger cloud actions unexpectedly. In this skill's context, that is more dangerous because prompts and user media may be sent to a third-party backend, potentially causing unintended uploads, session creation, or external processing.

Vague Triggers

Medium
Confidence
89% confidence
Finding
A catch-all route of 'everything else' to the SSE/edit path is overly permissive and may treat unrelated user requests as commands for the remote backend. Because this skill can transmit user prompts to a third-party service, ambiguous routing materially raises the risk of unintended external data disclosure and unauthorized actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages users to drop media into chat and describes cloud GPU processing, but does not clearly warn that uploaded files and prompts are transmitted to a third-party backend. This is dangerous because users may unknowingly share sensitive media, audio, or metadata with an external service without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal