ClawHub

Best Video Generation

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-generation skill whose network calls, token use, uploads, and session handling match its stated purpose, though users should treat prompts and media as being sent to Nemo Video.

Install only if you are comfortable sending the prompts, media files, URLs, and render-session data you provide to Nemo Video's cloud service. Use a limited or anonymous token where possible, avoid sensitive or private media, and make sure your agent only routes explicit video-generation or editing requests to this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing table sends 'Everything else' to the SSE generation/editing backend, which means a very wide range of user inputs will be forwarded to a remote service by default. In this skill, that broad trigger increases the chance of unintended prompt transmission, accidental remote actions, and ambiguous handling of non-video requests, especially because the skill also performs uploads, session creation, and cloud rendering automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs automatic connection to a remote API and supports sending prompts and uploaded files to cloud endpoints, but it does not clearly warn users up front that their content will leave the local environment. This creates a privacy and data-handling risk because users may disclose sensitive text, media, or metadata without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal