ClawHub

Subtitle Maker Free

Security checks across malware telemetry and agentic risk

Overview

This subtitle tool is not clearly malicious, but it needs review because it sends media and broad edit requests to a cloud backend while making free/no-account claims that conflict with possible registration or upgrade requirements.

Review before installing. Use it only with videos, audio, and links you are comfortable sending to NemoVideo, keep NEMO_TOKEN private, and do not assume all export paths are free or accountless despite the marketing text. Require confirmation before export, upgrade, top-up, or broad editing actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
72% confidence
Finding
The catch-all routing rule sends 'everything else' into the SSE editing flow, which can cause unrelated user messages to be forwarded to a remote backend. In an agent setting, overly broad intent matching increases the chance of accidental data disclosure, unintended remote actions, or processing of prompts that were never meant for this skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the user to upload an MP4 or paste a video link to a cloud service, but it does not present a clear, up-front warning that the media and associated content will be transmitted to a third-party backend. Users may unknowingly send sensitive or private video/audio content off-device, which is a meaningful privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Although the skill mentions that rendered output is stored on vendor servers for 24 hours, it fails to provide a prominent privacy/system-impact warning before processing begins. Retention of user-generated video and subtitle artifacts on remote infrastructure increases exposure if the content is sensitive, regulated, or unexpectedly accessible during the retention window.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal