ClawHub

Tiktok Photo Video Maker

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video maker that sends selected media and prompts to NemoVideo for processing, with no local executable code, but users should use it only for media they are comfortable uploading.

Install only if you are comfortable sending chosen photos, audio, prompts, and render session data to NemoVideo's cloud service. Prefer explicit commands, confirm before uploads or generation, use only the intended NEMO_TOKEN credential, and avoid private or sensitive media unless you accept that third-party processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The suggested invocation phrases are very generic (for example, common verbs like 'turn', 'export', and broad startup language), which increases the chance the skill activates during unrelated user requests. In a skill that can upload user media to a remote backend and initiate cloud processing, accidental activation can lead to unintended disclosure of files or prompts to a third party.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table contains an 'Everything else' catch-all that maps broad user language to the SSE generation path. Because this skill performs network actions against a cloud service and may process user-supplied media, an ambiguous catch-all materially raises the risk of unintended activation, unintended outbound requests, and accidental transfer of sensitive user content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description emphasizes convenience and cloud rendering but does not clearly warn users, up front, that uploaded photos, audio, prompts, and session data are transmitted to an external backend. In a media-processing skill, this omission can cause users to share sensitive or personal content without informed consent, especially since the tool also creates anonymous tokens and persistent sessions automatically.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal