ClawHub

Maker Generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent remote video-generation skill, but users should know their prompts and uploaded media are processed by NemoVideo's cloud API.

Install only if you are comfortable sending prompts, images, video, audio, and rendered project data to NemoVideo's remote service. Avoid sensitive media unless you trust that service, and check separate retention, deletion, and billing terms before using it for private or commercial assets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The getting-started examples are broad enough that ordinary conversational requests about making or generating videos could invoke this skill without a clearly bounded user intent. That can cause unintended activation and automatic network actions, including token acquisition and session creation, which is risky for a skill that uploads media and sends prompts to a remote service.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The routing table ends with a catch-all rule that sends 'everything else' to the SSE action, which is effectively remote prompt forwarding for any unmatched user text. In practice, that means normal discussion, ambiguous instructions, or unrelated chat could be transmitted to the backend, increasing the chance of unintended remote processing and data disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill describes cloud rendering and remote GPU processing, but it does not present a clear user-facing warning that uploaded media, prompts, and possibly derived project state are transmitted to third-party APIs for processing. Users may share sensitive videos, images, or text without informed consent, creating privacy and confidentiality risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal