ClawHub

Ai Video Generator Free I

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill appears purpose-aligned, but it needs review because broad routing and automatic cloud setup could send prompts or media to nemovideo.ai without clear user confirmation.

Install only if you are comfortable sending prompts, images, video, audio, URLs, and project state to nemovideo.ai for cloud processing. Avoid confidential or regulated media, and use explicit confirmation before first connection, upload, or generation when possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The invocation language is broad enough that ordinary user requests about generating or exporting media could unintentionally trigger this skill. Because the skill automatically connects to a third-party backend and may upload or process user content in the cloud, accidental activation can cause unintended data transfer and actions the user did not explicitly consent to.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The example trigger phrase "create a 30-second promotional video from" is a natural-language request that many users could say in normal conversation without intending to invoke this specific skill. In this skill's context, that is risky because activation leads to automatic session creation and cloud processing, increasing the chance of unintended disclosure of user prompts or uploaded media to the external provider.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The catch-all rule routes virtually all unmatched requests related to generating, editing, or adding media into the SSE action, which is too permissive for a skill that communicates with a remote API and maintains session state. This can cause unrelated or ambiguous user requests to be sent to the third-party backend, potentially exposing private text, media instructions, or file references without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description explains functionality but does not clearly warn users up front that their text, images, and other media may be transmitted to a cloud rendering backend for processing. In a tool that supports uploading local files and remote URLs, lack of explicit disclosure undermines informed consent and increases privacy risk if users provide sensitive or proprietary content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal