ClawHub

Text To Easy

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud text-to-video skill, but users should understand that prompts and uploaded files are sent to NemoVideo's remote service.

Install only if you are comfortable sending prompts, documents, and uploaded media to NemoVideo's cloud service for processing. Avoid confidential, regulated, or proprietary material unless you have reviewed and trust the provider's privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Allowing URL-based uploads adds a network-fetch primitive that can be abused to make the backend retrieve attacker-chosen resources unrelated to the stated text-to-video task. Depending on backend controls, this can expose users to SSRF-style behavior, retrieval of internal endpoints, or unvetted transfer of remote content through the service.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The guidance 'Send it over and tell me what you need' is broad enough to encourage activation on loosely related conversation, increasing the chance that arbitrary user content is sent to the remote backend without clear intent. In a skill that uploads content and creates sessions automatically, overbroad invocation materially raises privacy and data-handling risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing rule sends 'Everything else' to the SSE action, which is effectively a catch-all trigger with no scope boundary. This can cause unrelated prompts to be forwarded to the external service, leading to unintended disclosure of user input and surprising backend actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to establish a backend connection and create a session before handling user requests, while also telling it to keep technical details out of chat. This omits a clear user warning that their text/files will be transmitted to a third-party remote service, undermining informed consent for potentially sensitive documents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal