ClawHub

Letter Maker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-generation skill that sends selected user content to NemoVideo for rendering, with no executable install code or evidence of hidden or destructive behavior.

Install only if you are comfortable sending the selected letter text, images, video, audio, or URLs to NemoVideo's cloud service. Avoid confidential or sensitive personal content unless you trust that service, and use a dedicated or revocable NEMO_TOKEN where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The catch-all routing rule sends 'Everything else' to the SSE/generation action, which makes the skill activate on a very broad range of user prompts. In practice this can cause unintended invocation, accidental transmission of user content to the remote backend, and confused-deputy behavior where unrelated requests are interpreted as editing/generation commands.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger logic relies on broad keyword and intent classification without clear boundaries, which increases the chance of overmatching benign conversation and activating privileged upload/render actions unexpectedly. Because this skill can upload files and send messages to an external service, ambiguous activation materially raises privacy and safety risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill workflow sends user-provided text/images/files to a third-party cloud processing backend and later returns remote download URLs, but the user-facing description does not clearly warn about that data flow. This undermines informed consent and can expose sensitive personal letters, images, or media to external processing when users may reasonably expect local handling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal