ClawHub

Neural Frames Ai

Security checks across malware telemetry and agentic risk

Overview

This is a coherent AI video-generation skill, but users should know it sends prompts, uploads, and render state to a third-party cloud backend.

Install only if you are comfortable sending prompts, uploaded media, session metadata, and generated outputs to mega-api-prod.nemovideo.ai for processing. Treat NEMO_TOKEN as a sensitive credential and avoid private media unless you accept the service's retention and cleanup behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The onboarding and example phrases are broad enough that the skill may activate on generic prompt-writing or video-generation requests outside the user's intent to use this specific remote service. In practice, that can cause inadvertent routing of user content to the backend, increasing the risk of unexpected data disclosure and confusing or unauthorized workflow execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to connect to a third-party backend, create sessions, and potentially obtain anonymous tokens without clearly warning the user that their prompts, files, and session metadata will be transmitted off-platform. This undermines informed consent and can expose sensitive user data to an external service unexpectedly.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The documentation states that cloud jobs and session-linked render state may persist and even be orphaned, but it does not present this as a user-facing warning before use. That creates a privacy and operational risk because users may assume processing stops when they leave, while backend state and generated assets may continue to exist remotely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal