ClawHub

Ai Video Generator For Youtube

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-generation connector, but users should only send scripts and media they are comfortable uploading to NemoVideo.

Install only if you are comfortable sending prompts, scripts, uploaded files, and generated project state to NemoVideo's cloud service. Keep NEMO_TOKEN private, watch credit and export usage, and avoid confidential or proprietary content unless you trust the provider's privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The example invocations are broad and overlap with generic user intents like generating scripts or turning text into a video, which can cause the skill to activate outside a clearly bounded context. Because the skill then performs automatic setup and connects to an external API on first interaction, accidental invocation can lead to unintended network calls and possible transmission of user content to a third party.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The routing table sends 'Everything else' to the SSE action, creating an effectively catch-all activation path for a powerful external-processing workflow. This is risky because many normal editing or content-generation requests could be captured and forwarded to the remote service without sufficiently specific consent, increasing the chance of overbroad handling and data exfiltration to the vendor backend.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that it uploads content and runs cloud rendering through external endpoints, but it does not provide a prominent, explicit warning or consent step before transmitting user text, scripts, or files. In this context, the risk is elevated because the skill is designed to process user-supplied media and documents, which may contain sensitive or proprietary information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal