ClawHub

Ai Free Generator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud video generation skill whose external API use is broadly aligned with its stated purpose, but users should understand that prompts, media, tokens, and exports go through NemoVideo infrastructure.

Install this only if you are comfortable using NemoVideo as a third-party cloud service. Do not send confidential scripts, private media, sensitive URLs, or account tokens unless you are comfortable with that provider processing them; review the exported video and download link before sharing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Low
Confidence
92% confidence
Finding
The skill instructs the agent to inspect the local install path to infer the hosting platform and send that attribution upstream, even though platform detection is not required to generate videos. This creates unnecessary host-environment disclosure and establishes a precedent for collecting local context unrelated to the user’s request.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation language is broad enough that ordinary video-editing or generation requests may trigger this skill unexpectedly, causing user prompts and possibly files to be routed to a third-party backend without clear intent. In a skill that uploads content and creates remote sessions, overbroad triggering increases privacy and consent risk.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The catch-all routing rule sends 'everything else' to the SSE generation/editing path, which is overly permissive for a skill that forwards prompts to a cloud service. This can capture ambiguous requests and trigger remote processing without sufficient specificity or user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to establish a backend connection, create a session, and potentially obtain a token, but it does not clearly warn users that their prompts and uploaded media will be sent to remote APIs. This undermines informed consent and may expose sensitive content to third-party processing unexpectedly.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The export workflow creates remote render jobs and returns downloadable cloud-hosted output URLs, but the skill text does not clearly disclose this to users. Users may assume processing is local or ephemeral when in fact rendered artifacts may persist on external infrastructure.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
Hard-coding English for session creation can cause the agent to send user interactions under an incorrect language context, which may degrade behavior or mis-handle multilingual content. While not a classic security flaw, it can contribute to misleading processing and reduce user control over how their data is handled.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal