ClawHub

Free Product Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud product-video generator that sends chosen media and prompts to NemoVideo, with no evidence of hidden local execution or destructive behavior.

Install only if you are comfortable sending product photos, videos, logos, audio, prompts, and related project metadata to NemoVideo’s cloud service. Avoid uploading sensitive customer, unreleased, or confidential business media unless you trust that provider’s privacy, retention, billing, and account terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The activation text is broad enough that ordinary requests about creating videos from images could invoke this skill without a narrowly scoped user intent. Because the skill uploads user files and prompts to a third-party backend and can acquire anonymous tokens automatically, accidental activation can cause unintended disclosure of user content to a remote service.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table includes a catch-all rule mapping 'Everything else' to the SSE chat action, which is overly ambiguous for a networked skill. This means many generic editing or generation requests may be forwarded to the remote API, increasing the chance of unintended data transmission and unexpected skill execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill does state that rendering happens server-side, but it does not provide a clear, upfront privacy warning that uploaded files and user prompts are transmitted to a remote backend for processing. In a media-processing skill handling potentially sensitive business assets, insufficient disclosure can lead to users unknowingly sending proprietary images, videos, logos, or text off-device.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal