ClawHub

Ai Video Generator From Music

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill uses NemoVideo cloud APIs to turn user-provided audio into videos, and its remote processing behavior is disclosed and aligned with that purpose.

Install only if you are comfortable sending selected audio files, prompts, and project metadata to NemoVideo's cloud service. Avoid using sensitive or unreleased media unless you trust that provider's handling of your content, and treat NEMO_TOKEN as a service credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
Routing "everything else" to the SSE generation workflow creates an overly broad trigger surface, so unrelated or ambiguous user requests may be sent to the remote backend. In this skill, that means user text can be forwarded off-platform and potentially initiate cloud-side processing without sufficiently clear user intent, increasing privacy and unexpected-action risk.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The phrase "Or just tell me what you're thinking" is a vague conversational trigger that can cause accidental invocation from general discussion rather than an explicit request to use the skill. In a skill that uploads files and sends prompts to a third-party cloud service, ambiguous activation increases the chance of unintended data disclosure or remote processing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill does mention remote GPU processing, but it does not give a clear, upfront warning that uploaded audio files and user prompts are transmitted to and processed by an external cloud service. Because the workflow includes file upload, session creation, and prompt transmission to a third-party API, users may not fully understand that their content leaves the local environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal