ClawHub

Ai Video Maker Free Chinese

Security checks across malware telemetry and agentic risk

Overview

This video skill is instruction-only and purpose-aligned, but it can automatically connect to a cloud service, use or create a token, and route broad prompts or media to that service without enough user-facing control.

Review before installing. Use this only for media you are comfortable sending to NemoVideo, avoid sensitive videos/images/audio, and confirm the skill is being invoked for a video-editing task before it connects, uploads files, uses credentials, or exports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The example trigger phrases are extremely generic, such as 'export 1080p MP4' and 'create my video clips or images', and could plausibly match normal user requests outside the intended skill context. This can cause unintended skill activation and route unrelated user content or files to the third-party backend without clear user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table includes a broad catch-all rule where 'Everything else' is sent to the SSE backend, meaning nearly any non-matching request may trigger remote processing. In a skill that accepts user files and sends prompts to an external service, this increases the chance of accidental activation and unintended disclosure of user data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill says it runs through a cloud rendering pipeline, but it does not clearly warn users up front that uploaded media and prompts are transmitted to a third-party service. Because this skill handles videos, images, and potentially audio files, the privacy impact of silent external transfer is significant.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill automatically uses an existing token or obtains an anonymous starter token and then creates a session, but it does not clearly disclose this behavior to the user. Automatic credential acquisition and backend authentication without transparency can surprise users and obscure how their requests are being authorized and tracked.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal