ClawHub

Video Maker Easy

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video maker that uploads user-selected media to NemoVideo for rendering, with no evidence of hidden or destructive behavior.

Install only if you are comfortable sending selected clips, images, audio, URLs, editing prompts, and related session data to NemoVideo's cloud service. Avoid confidential media unless you trust that provider, and keep any NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The startup prompt and example phrases are so broad that the skill may activate on generic conversation or ordinary file-sharing intent, causing unintended routing into this skill. In a skill that uploads user media and sends prompts to a cloud backend, accidental invocation can lead to unintentional disclosure of user content and surprise external API usage.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table includes a catch-all rule that sends 'Everything else' to the SSE backend, meaning many unrelated prompts may be forwarded to a remote service. This greatly increases the chance of accidental activation, unintended data transfer, and backend actions being taken without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description says processing happens on cloud GPUs, but it does not present a clear, up-front user warning that uploaded media, prompts, and session data are transmitted to a third-party cloud backend. For a media-processing skill handling potentially sensitive photos, videos, and audio, this lack of explicit disclosure undermines informed consent and privacy expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal