ClawHub

Photo Video Maker Arabic

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but its broad triggers can send photos or prompts to a cloud video service with too little explicit confirmation.

Review before installing. Use it only when you intentionally want selected photos and prompts sent to NemoVideo for cloud processing. Avoid sensitive personal media unless you trust the provider's handling and retention, protect NEMO_TOKEN, and require an explicit confirmation before upload, session creation, SSE editing, or export.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The getting-started examples and invitation language are broad enough to match generic photo or video-editing requests, which can cause the skill to activate outside a clearly bounded user intent. That increases the chance of unintended routing to a cloud backend, unnecessary token use, or accidental upload/processing of user media when the user did not explicitly ask for this specific service.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing table includes a catch-all rule that sends 'Everything else' to the SSE action, effectively treating many unspecified prompts as authorization to contact the backend and perform edits. In a skill that can upload files, create sessions, and trigger remote processing, this vague trigger materially raises the risk of overbroad activation and unintended external data sharing.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The skill is presented as producing Arabic-captioned output by default, without clearly stating that language choice is optional or confirming the user's preference. This is mainly a consent and expectation-setting issue: users may receive unintended language transformations or content formatting that does not match their request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal