ClawHub

Pet Video Maker

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a straightforward remote pet-video generation workflow, with privacy and token-handling caveats users should understand.

Install only if you are comfortable sending pet footage, prompts, and related request data to NemoVideo. Review clips for faces, children, addresses, home interiors, license plates, or sensitive audio before uploading, and keep NEMO_TOKEN out of shared logs, screenshots, and shell snippets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to upload raw pet footage to a remote service without warning that clips may contain identifiable people, children, addresses, home interiors, license plates, or other sensitive context. In a pet-video workflow this is especially plausible because footage is often shot casually inside private homes, so external transmission can expose personal data without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example sends a bearer token to an external API but provides no warning about secret handling, token scope, or the risk of exposing credentials in shell history, logs, screenshots, or shared snippets. While using an Authorization header is normal, documentation that omits credential-safety guidance increases the chance of accidental token leakage and unauthorized API use.

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 3 — Generate
```bash
curl -X POST https://mega-api-prod.nemovideo.ai/api/v1/generate \
  -H "Authorization: Bearer $NEMO_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
curl -X POST https://mega-api-prod.nemovideo.ai/api/v1/generate \ -H "Authorization: Bearer $NEMO_TOKEN" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal