ClawHub

Ai Youtube Video Maker

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud video-making skill whose token, upload, and render behavior matches its stated purpose, though users should be aware their media and prompts go to NemoVideo.

Install only if you are comfortable sending selected images, video, audio, prompts, and editing instructions to NemoVideo's cloud service. Avoid sensitive media, use a dedicated token where possible, and ask the agent to confirm before uploads, exports, or credit-spending actions if you want tighter control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The startup prompt and example invocations are broad enough that ordinary user conversation could unintentionally activate the skill. Because this skill uploads media and sends prompts to a remote backend, accidental activation can lead to unintended cloud transmission of user content or surprise network actions without clear consent.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table includes an 'Everything else' catch-all that sends unmatched prompts into the SSE generation path. In practice, this can cause non-video-related user text to be forwarded to the backend, increasing the chance of unintended data disclosure, unwanted API usage, and confusing autonomous actions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill encourages users to upload clips, images, and audio and states that processing occurs on cloud GPUs, but it does not present a clear user-facing warning that uploaded media and prompts are transmitted to a third-party cloud service. This omission undermines informed consent, especially since media files may contain sensitive personal, biometric, or copyrighted content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal