ClawHub

Subtitle Video Generator

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only NemoVideo subtitle-generation skill with expected external API use and credential requirements, but users should treat uploaded videos as sensitive third-party processing.

Install only if you are comfortable using a NemoVideo API token and sending selected video/audio content and prompts to NemoVideo's external service. Avoid confidential, regulated, or private media unless NemoVideo's privacy, retention, training, and compliance terms meet your needs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to upload videos and send detailed processing requests to a third-party API, but it does not disclose privacy, retention, or data-handling expectations. Because videos may contain sensitive audio, faces, PII, or confidential business content, the absence of an explicit warning can mislead users into transmitting regulated or proprietary data off-platform without informed consent.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The manifest declares a required NEMO_TOKEN and config path, showing the skill depends on authenticated access to a remote service, yet the user-facing documentation does not clearly warn that execution requires configuring credentials for external processing. This can cause users to unknowingly connect local workflows to a third-party service and mishandle credentials or misunderstand the trust boundary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal