ClawHub

Free To Video

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud video-generation skill that clearly centers on sending user-provided text or files to NemoVideo, with no evidence of hidden local execution or unrelated data access.

Install only if you are comfortable with NemoVideo processing the text, files, prompts, and media you provide. Avoid confidential, regulated, or proprietary documents unless you trust that provider, and be aware that opening the skill may create an anonymous token/session before a video job is started.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The routing rule sends essentially all unmatched user input to the generation/SSE workflow, which increases the chance of accidental activation and unintended transmission of user content to the external backend. In a skill that can upload files and send prompts to a third-party service, broad intent matching can cause privacy-impacting actions from ambiguous everyday language.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The sample invocation phrases are very broad and conversational, which can cause the skill to activate on normal language that was not intended as a command. While this is not direct code execution, it raises the risk of inadvertent backend calls and unintended data sharing with the video service.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs the agent to upload user text, files, and prompts to a third-party cloud rendering service but does not present a clear, upfront disclosure or warning to the user. Because uploaded documents may contain sensitive or proprietary information, the absence of transparent notice and consent materially increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill specifies automatic backend connection on first open, including token acquisition and session creation, without meaningful user disclosure or opt-in. Automatic network activity at startup can surprise users, create silent identifiers/sessions, and undermine informed consent even before they choose to use the service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal