ClawHub

Notes Of Video

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-notes skill, but users should understand that it connects to NemoVideo and may upload videos and prompts for processing.

Install only if you are comfortable using NemoVideo's cloud service for this workflow. Do not upload confidential meeting or lecture recordings unless NemoVideo's privacy and retention terms meet your needs, and ask the agent to confirm before uploads, exports, or credit-consuming actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The skill instructs the agent to automatically obtain an anonymous token and establish a backend session before handling any user request. That enables unsolicited third-party service access and account/session creation without clear user consent, which is risky because it sends metadata to an external API and can consume service resources even when the user has not asked to process a file.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The example trigger phrases are broad and ambiguous, such as 'generate my video files' and 'export 1080p MP4,' which could match ordinary conversation and activate networked actions unexpectedly. In an agent environment, loose activation criteria can cause unintended file handling, backend calls, or export operations without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill does not clearly warn users that their prompts, video files, and related metadata will be transmitted to a cloud backend. This is dangerous because users may share sensitive meeting recordings or lecture content under the assumption processing is local, creating privacy, confidentiality, and compliance risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal