ClawHub

Free Video Generation Automatic

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-generation helper with disclosed remote processing and no local executable installer, but users should be careful not to send sensitive media or prompts.

Install only if you are comfortable sending prompts, uploaded images/videos/audio, and session data to NemoVideo's cloud backend. Avoid confidential, regulated, or private media unless you trust that provider, and consider using your own NEMO_TOKEN instead of relying on automatic anonymous token creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill collects local installation-context information by inferring platform from install paths and transmits it as attribution headers to a remote service, even though that data is not necessary for core video generation. This creates avoidable privacy leakage and environment fingerprinting, which can be used for tracking users or correlating deployments across platforms.

Vague Triggers

Medium
Confidence
83% confidence
Finding
An overly broad invocation phrase increases the chance the skill activates on incidental conversation, causing unintended transmission of user prompts or files to the remote backend. In this skill's context, accidental activation is more dangerous because prompts and media are uploaded to a third-party cloud service and may trigger token acquisition and session creation automatically.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The catch-all routing rule sends nearly any unmatched request into the SSE edit/generation flow, which can cause overbroad handling of user input and unintended backend actions. Because the skill auto-connects and forwards content to a cloud service, ambiguous routing raises the risk of data being sent or jobs being created without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill omits a clear user-facing warning that prompts, files, and session data are sent to a remote cloud backend for processing. This undermines informed consent and can expose sensitive text, images, or videos to a third party, especially given the automatic connection and upload-oriented workflow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal