ClawHub

Text To Video Automatic

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud-backed video/text generation helper, and the reviewed behavior fits that purpose, though users should avoid sending sensitive files or prompts unless they trust NemoVideo.

Install only if you are comfortable sending prompts, uploaded files, and project state to NemoVideo cloud services. Do not upload confidential documents, private videos, or regulated data unless you have reviewed NemoVideo's privacy and retention terms and are comfortable with the anonymous-token or NEMO_TOKEN flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing table sends all unmatched prompts to the SSE generation path, which can cause unintended transmission of arbitrary user input to the remote backend. In a skill that uploads user content and initiates cloud processing, this broad catch-all increases the chance of accidental activation, privacy leakage, and unexpected external actions without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup and usage instructions indicate that prompts, uploads, and session data are sent to a third-party cloud backend, but the user-facing description does not clearly disclose that external transmission occurs. This is dangerous because users may provide sensitive scripts, documents, or media under the mistaken assumption that processing is local, creating a privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal