ClawHub

Photographer Video

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-generation skill whose network, upload, token, session, and export behavior fits its stated purpose, but users should understand that media and prompts are processed by NemoVideo online.

Install only if you are comfortable sending selected media, prompts, and related session metadata to NemoVideo for cloud processing. Use a dedicated or limited NEMO_TOKEN where possible, avoid confidential or regulated images, and treat generated download URLs as private links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation language is broad enough to capture generic photo-editing or video-creation requests, which can cause the skill to activate outside its advertised scope. In a skill system, overbroad triggering can silently route user prompts and media to this third-party backend, creating unintended data exposure and consent problems.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The opening prompt invites users to 'send it over' without clearly limiting what content should be sent or warning that uploads go to a remote service. That ambiguity increases the chance that users provide sensitive media or unrelated files under the mistaken assumption of local or narrowly scoped processing.

Vague Triggers

High
Confidence
96% confidence
Finding
The 'Everything else' fallback creates a catch-all trigger that can route nearly any unmatched request into the SSE backend. This is dangerous because it turns the skill into a broad proxy for arbitrary prompts, increasing the risk of accidental activation, unexpected third-party data transfer, and misuse beyond the declared slideshow purpose.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to establish a backend session and process uploads/prompts in the cloud, but it does not clearly warn users that their media and text will be sent to a third-party service. This creates a meaningful privacy and consent risk, especially because the skill handles personal photos such as wedding or portrait images that may contain sensitive personal data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal