ClawHub

Free To Generation

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-generation skill whose remote API use is expected for its purpose, with privacy-relevant but disclosed prompt and media transfer.

Install only if you are comfortable sending prompts and chosen media files to NemoVideo's remote service for processing. Avoid confidential, regulated, or rights-sensitive media unless you trust that provider's privacy, retention, and account practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text is broad enough that ordinary conversational requests like describing desired output could activate the skill unintentionally. In this skill's context, accidental activation can cause user prompts and uploaded media to be sent to a third-party remote API and can trigger authentication/session setup without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The catch-all routing rule sends nearly everything not matching a few keywords into the SSE execution path. Because that path initiates remote processing logic, ambiguous or unrelated user input could be forwarded to the external backend, increasing the chance of unintended data disclosure, unwanted job creation, or unexpected account/session activity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends prompts, uploads, and session data to a third-party cloud service, but the markdown does not provide a clear upfront warning or consent-oriented disclosure. In a media-processing skill, this matters because users may upload sensitive videos, images, audio, or proprietary scripts, and silent remote transfer materially increases privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal