ClawHub

Best Suno Ai

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-rendering skill, with privacy considerations because media and prompts go to nemovideo.ai.

Install only if you are comfortable sending audio/video files, prompts, and render metadata to nemovideo.ai for cloud processing. Avoid confidential or sensitive media unless you trust that service's privacy and retention practices, and be aware the skill can create or reuse a NEMO_TOKEN and remote session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The suggested trigger phrases are very generic (for example, common phrases about converting files or exporting MP4s) and could match ordinary conversation unrelated to this skill. That increases the chance of accidental activation, which is particularly risky here because the skill can initiate network setup and upload user-provided media to a third-party cloud service.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The routing table includes a catch-all rule ('Everything else') that sends nearly any unmatched prompt into the SSE/chat action. In practice, this creates broad, unintended activation and can cause arbitrary user messages to be forwarded to the remote backend, exposing prompts and potentially triggering remote actions without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Although the skill mentions cloud GPU processing elsewhere, the user-facing description and onboarding section do not clearly warn that uploaded files and prompts are transmitted to a third-party backend. Because this skill handles user media files and free-form text, the lack of an upfront disclosure can lead to users unknowingly sharing sensitive or copyrighted content externally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal