ClawHub

Text To Video Notegpt

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only connector for a cloud text-to-video service, with expected cloud upload risks but no evidence of malware, deception, or local persistence.

Install only if you are comfortable sending the notes, files, and editing prompts you provide to NemoVideo's cloud service. Avoid sensitive personal, business, or educational documents unless you trust that service, and confirm ambiguous requests before allowing the skill to upload files or send prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The suggested invocations are extremely generic phrases like "convert my text or notes" and "export 1080p MP4," which can overlap with ordinary conversation or unrelated user intent. In an agent environment, this increases the chance of accidental skill activation and unintended transmission of user content to the external video backend.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table ends with a catch-all rule that sends "Everything else" to the SSE action, meaning nearly any unmatched message may be forwarded to the remote backend. Because SSE transmits user text to a cloud service and may trigger edits or generation, this broad activation condition can cause unintended external data disclosure and unexpected actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explains cloud processing behavior, but it does not clearly warn users up front that uploaded notes, documents, and prompts are transmitted to a third-party backend for processing. Since the skill encourages uploading potentially sensitive educational or creator materials, the lack of a prominent disclosure creates a meaningful privacy and consent risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal