ClawHub

Christmas Video Maker Free

Security checks across malware telemetry and agentic risk

Overview

This is a real remote holiday-video skill, but it can automatically connect to NemoVideo and route broad user requests to an external backend that may receive personal media and prompts.

Install only if you are comfortable sending prompts, photos, videos, and audio to NemoVideo's remote service. Use it for non-sensitive media, and be aware that generic editing requests may be routed to the service unless the host requires confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill invites activation from very generic phrases like sending images/clips or describing a desired result, which can cause unintended invocation during ordinary conversation. Because this skill uploads user media and transmits prompts to a third-party backend, accidental triggering can lead to unintentional disclosure of personal photos, videos, and editing requests.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The catch-all rule routing 'Everything else' to the SSE action is overly broad and effectively makes the remote backend the default handler for most inputs. That increases the chance that unrelated or sensitive user text is forwarded to an external service without a specific, informed request to use this skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs automatic backend connection and anonymous token acquisition on first open, while minimizing user-visible disclosure about remote transfer. Since the core function involves uploading personal images or clips to a third-party service, silently connecting and preparing credentials before explicit consent creates a meaningful privacy and data-sharing risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal