ClawHub

A Video Using

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill appears purpose-aligned, but it automatically connects to a third-party NemoVideo backend and can broadly send prompts and uploaded media without a clear first-use consent step.

Install only if you are comfortable sending video, audio, documents, prompts, and edit instructions to NemoVideo's remote service. Avoid using it with confidential, regulated, or client media unless you have reviewed NemoVideo's terms and privacy posture, and prefer confirming before uploads, token creation, or backend edit requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The example invocation phrases are generic enough that ordinary conversation about creating or exporting a video could unintentionally trigger the skill. Because this skill performs networked actions and can initiate backend setup, accidental invocation can lead to unintended data transfer or session creation against a remote service.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The catch-all rule routing "Everything else" to the SSE editing path creates an overly broad trigger surface. In practice, many unrelated user messages within a session could be forwarded to the remote backend, increasing the risk of unintended prompt disclosure, unwanted edits, or accidental consumption of credits.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends user media and prompts to a third-party remote backend, but the user-facing description does not clearly warn about that data flow before use. This weakens informed consent and can expose sensitive video, audio, or embedded personal information to external processing without sufficient notice.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal