ClawHub

Auto Generator Pro

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real cloud video-generation helper, but it can send user media and broad editing prompts to a third-party service with limited confirmation and retention guidance.

Review before installing. Use this only for explicit video-generation tasks, avoid sensitive footage unless you trust the nemovideo.ai service, and confirm what will be uploaded before allowing media or prompts to be processed remotely.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Low
Confidence
85% confidence
Finding
The skill instructs the agent to derive and transmit installation-source and platform attribution headers based on local install paths, which are unrelated to core video generation. This leaks environment metadata to a third-party service and creates unnecessary fingerprinting of the user or host environment.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The startup instruction invites users to share raw footage or vague ideas, creating a broad activation surface for a skill that uploads data to a cloud backend. Overly permissive invocation can cause accidental routing, unintended media disclosure, or backend calls when the user did not clearly intend to use this specific external service.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Example trigger phrases like 'generate my raw footage' and especially incomplete or generic phrases such as 'automatically cut, arrange, and generate a' are too ambiguous for a cloud-connected skill. Ambiguous triggers increase the chance that ordinary editing requests are misrouted into remote processing workflows involving file upload and persistent session state.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The catch-all rule routes 'Everything else' related to generating, editing, or adding BGM to SSE processing, which is too broad for a skill that can upload media, maintain remote session state, and invoke rendering actions. This can cause unintended backend interactions from loosely related user prompts and makes prompt-based control boundaries weak.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes cloud processing but does not clearly warn users that their media will be uploaded to an external backend for processing. This is a meaningful privacy and consent issue because users may provide sensitive footage without understanding it leaves the local environment.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The documentation indicates that session tokens carry render job IDs and that jobs or session state persist remotely, but it does not present this as a clear user-facing warning. Users may not realize their drafts, jobs, and media metadata remain on the provider side beyond the immediate interaction.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal