ClawHub

Maker Free Online

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud video-making skill, but it can automatically create remote sessions and send broad user prompts or uploaded media to a third-party backend without strong upfront user control.

Install only if you are comfortable sending prompts, uploaded images, clips, and related project state to mega-api-prod.nemovideo.ai. Avoid private or sensitive media unless you trust that provider, and confirm whether the skill will use your NEMO_TOKEN or guest-mode credits before starting a session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example invocation language is broad and overlaps with ordinary conversation about creating videos from images or clips, which can cause the skill to activate when the user did not clearly intend to use this specific third-party service. Because the skill uploads user media and prompts to a remote backend, accidental invocation increases the chance of unintended data transfer and backend interaction.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing rule sends “Everything else” to the SSE chat action, making the trigger surface extremely broad and likely to match normal editing or conversational requests. In this skill, that broad routing is more dangerous because the default action establishes backend sessions and can transmit user instructions to an external API without a strong, explicit invocation boundary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The user-facing description encourages uploading images or clips but does not clearly warn that both media and prompts are sent to a remote backend service. This omission undermines informed consent and is especially risky for personal, proprietary, or sensitive media that users may assume is processed locally or within the host platform.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The session creation request hardcodes `"language":"en"` without asking the user, which can cause user content to be processed under the wrong language context and may lead to mistranslation or unintended prompt handling. This is primarily a consent and reliability issue rather than a direct security exploit, but it can still affect user expectations and correctness.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal