ClawHub

Generator Green Screen

Security checks across malware telemetry and agentic risk

Overview

This is a cloud green-screen video editing skill whose remote processing is mostly disclosed, though users should understand it sends media and prompts to NemoVideo.

Install only if you are comfortable sending videos, images, audio, and editing prompts to the NemoVideo cloud API. Avoid confidential media unless you trust that provider's privacy and retention practices, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill manifest presents a narrowly scoped green-screen video tool, but the instructions expose a much broader remote multimedia-editing surface including uploads, audio/image handling, timeline/state inspection, and export orchestration. This scope mismatch increases the chance of users and host systems granting trust or permissions under false assumptions, enabling unintended data handling and remote actions beyond the advertised purpose.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation examples and routing logic are broad enough that common phrases like 'export', 'download', 'upload', or generic editing requests could trigger this skill outside a clearly intentional green-screen context. Over-broad activation raises the risk of accidental remote uploads, session creation, or backend actions on unrelated user content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically connect to a remote backend and obtain anonymous tokens without first presenting a clear disclosure or consent flow for cloud processing. Because the skill handles user media files, silent backend connection materially increases privacy and data-transfer risk, especially when users may not realize their content and metadata are being sent off-device.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal