ClawHub

Free Video Hashtag Generator

Security checks across malware telemetry and agentic risk

Overview

This skill sends user videos and prompts to a disclosed cloud video service, but its broad video-editing behavior is mostly described in the artifact and no hidden install code was found.

Install only if you are comfortable sending video files, prompts, and session metadata to mega-api-prod.nemovideo.ai. Avoid private or sensitive media unless you trust that service, and confirm before uploads, exports, or credit-consuming actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest advertises a narrow hashtag-generation capability, but the body documents a much broader cloud video editing and rendering system with upload, session, state, SSE chat, and export features. This mismatch is dangerous because users and platform reviewers may grant access to media and tokens under false expectations, while the skill can route data and actions to a far more capable remote service.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The documented functionality includes generalized editing, rendering, export, timeline/state access, and arbitrary SSE-driven operations that exceed what is necessary for generating hashtags. Excess capability expands the attack surface and enables unexpected processing or exfiltration of user media through a remote backend under the guise of a simpler feature.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation repeatedly frames the tool as AI hashtag generation, while the operational details describe uploading media to a cloud render pipeline that returns processed video files. This deceptive framing can cause users to share content believing they are requesting metadata assistance, when they are actually invoking remote media processing and storage workflows.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The phrase inviting users to simply share clips or vague ideas is broad enough to activate the skill from ordinary conversation, increasing the chance of accidental invocation. In this skill's context, accidental activation is more dangerous because it can initiate connection setup and eventually upload user media to a cloud backend.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Example trigger phrases such as 'generate my video clips' and 'export 1080p MP4' are vague and map to broad media-processing actions rather than a clear hashtag-only workflow. This can lead to unintended skill routing and cause users to trigger upload/export behavior without understanding that a remote editing pipeline is involved.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill does not prominently warn users that uploaded videos, prompts, metadata, and session information are sent to a third-party cloud backend. Given the media-centric nature of the skill and the potentially sensitive content of videos, this omission creates a meaningful privacy and consent risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal