ClawHub

Video Hook Generator Free

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but it sends chosen media to NemoVideo and uses or creates a service token to process and export clips.

Install only if you are comfortable sending selected videos, images, audio, or URLs to NemoVideo for cloud processing. Use a dedicated NEMO_TOKEN if possible, avoid uploading confidential media, and ask the agent to confirm before exports or credit-consuming actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The manifest markets the skill as a narrow 'video hook generator', but the documented behavior supports broader video editing, media handling, and export workflows. This scope mismatch can mislead users and host systems about what data and capabilities are actually involved, weakening informed consent and policy enforcement.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The skill instructs the agent to obtain anonymous tokens and create backend sessions automatically, even though the user-facing description does not make authentication brokering a clear part of the advertised function. This expands the trust boundary by allowing the skill to provision credentials and interact with a third-party service on the user's behalf without clear upfront disclosure.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documented endpoints and supported actions go well beyond generating an opening hook and effectively expose a general multimedia editing and export pipeline. This broader operational scope increases the chance of overbroad invocation, unexpected data transfer, and use beyond what users or reviewers would infer from the manifest.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The catch-all rule routes 'Everything else' to the SSE action, meaning nearly any unmatched prompt can trigger remote processing. This can cause unintended invocation for unrelated requests, increasing the risk of accidental data disclosure or unauthorized interaction with the backend.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the upload of user media and transmission of authentication/session data to a remote backend, but it does not present a clear user-facing privacy notice, retention statement, or data-handling warning. Because uploaded videos may contain sensitive personal, biometric, or proprietary content, silent transfer to a third party materially increases privacy and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal