ClawHub

Text To Video Diffusion

Security checks across malware telemetry and agentic risk

Overview

This cloud video-generation skill sends work to NemoVideo using a token and session, but that behavior is disclosed and fits its stated purpose.

Install only if you are comfortable sending prompts, uploaded media, a generated client ID, token-backed requests, and render/session state to NemoVideo. Avoid confidential media unless you trust the provider, prefer a dedicated NEMO_TOKEN, and confirm before exporting or uploading sensitive files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
The skill acquires anonymous tokens and creates persistent remote sessions automatically, which expands access beyond a simple one-shot prompt flow and introduces credential/session handling risk. If session IDs or tokens are mishandled, logged, or reused improperly, an attacker or another process could access user jobs, uploads, or account credits.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Routing 'everything else' to the SSE generation/edit path is overly broad and can cause unrelated or ambiguous user input to be forwarded to a remote backend. In this skill's context, that increases the chance of unintended data transfer, accidental action execution, or processing of sensitive user text as a generation command.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to automatically connect to a remote service and obtain tokens without a clear user-facing privacy or data-transfer warning. Because prompts, uploads, and metadata are sent to a third-party backend, users may unknowingly disclose sensitive information, making the silent auto-connect behavior materially risky.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal