ClawHub

Ai Video Generator Online Free

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud video-generation skill, but it may connect and send user prompts or media to a third-party backend too automatically and too broadly.

Install only if you are comfortable sending selected prompts, images, videos, audio, and project state to the NemoVideo cloud backend. Before use, ask the agent to get confirmation before creating a session, uploading files, exporting, or spending credits, and avoid confidential or regulated media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation examples and prompting language are broad enough that ordinary conversation like sharing text/images or asking to 'get started' could activate the skill unintentionally. In this skill, accidental invocation is more sensitive because first use triggers automatic backend connection and later causes user-provided content to be sent to a third-party cloud video service.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table sends 'Everything else' to the SSE/chat action, creating an overly permissive catch-all that can treat many unrelated user messages as actionable instructions. Because the SSE path may drive backend editing and session operations, ambiguous routing increases the chance of unintended cloud actions, content processing, and surprise data transmission.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to connect automatically on first open and obtain an anonymous token, but it does not clearly warn users up front that their prompts and uploaded media will be transmitted to a third-party cloud backend. This weakens informed consent and is more dangerous here because the skill handles potentially sensitive images, videos, audio, and text and stores session state remotely.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal