ClawHub

Add Subtitle To Video Vlc

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video/text generation skill that sends prompts and uploaded media to NemoVideo, which is disclosed and purpose-aligned but privacy-sensitive.

Install only if you are comfortable sending prompts, documents, audio, and video files to NemoVideo's cloud service for processing. Avoid sensitive personal or business media unless you have reviewed the provider's privacy and retention terms, and confirm ambiguous edit requests before uploading or exporting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is advertised as a narrowly scoped subtitle-embedding tool, but its routing logic explicitly handles broader editing requests such as aspect ratio changes, overlays, audio edits, and a catch-all path for general generate/edit operations. This scope mismatch can mislead users and host platforms about what the skill can do, increasing the chance that users send media for processing under false assumptions and that the agent performs actions outside the expected permission boundary.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documentation exposes that the backend supports a full cloud render pipeline, multi-format media handling, stateful sessions, and export workflows well beyond simple subtitle embedding. When a skill presents itself as a simple subtitle tool but actually enables general media transformation, it creates a deceptive capability boundary that can undermine informed consent and platform review.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The routing table includes a broad fallback of 'Everything else' to the SSE edit pathway, which means ambiguous or unrelated user prompts can trigger powerful backend operations. Overly permissive intent matching is dangerous because it expands the skill's effective authority beyond the stated purpose and makes unintended processing more likely.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill says it 'connects to a cloud processing backend' in setup text, but the description and getting-started content do not clearly warn users that uploaded video is transmitted to a third-party remote service for processing, storage, session management, and export. For media files, especially potentially sensitive personal recordings, insufficient cloud-transfer disclosure is a meaningful privacy and consent issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal