ClawHub

Blog To Video Converter

Security checks across malware telemetry and agentic risk

Overview

This is a cloud blog-to-video skill whose remote processing, token use, and file upload behavior are broadly disclosed and aligned with its stated purpose.

Install only if you are comfortable sending blog drafts, PDFs, DOCX/TXT files, URLs, prompts, and session metadata to nemovideo.ai for cloud processing. Avoid confidential or private documents unless you trust that service’s privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The example invocation language is broad enough to match generic blog/video creation requests, which can cause the skill to activate outside its intended boundaries. That increases the chance of unintended data handling and unexpected transmission of user content to the remote backend, especially when users did not explicitly ask to use this specific cloud service.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table contains a catch-all rule that sends 'Everything else' to the SSE backend, effectively forwarding any unmatched user request to a cloud service. In a skill that uploads content and maintains remote sessions, this creates an overbroad exfiltration and misuse risk because unrelated or sensitive prompts may be processed externally without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes upload and processing behavior but does not present a clear, prominent warning that user files and text are sent to a third-party cloud backend. Because the skill handles potentially sensitive documents and URLs, inadequate disclosure undermines informed consent and can expose private content to external processing unexpectedly.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal