ClawHub

Midjourney Video Generator Free

Security checks across malware telemetry and agentic risk

Overview

The skill’s cloud rendering behavior fits its purpose, but it automatically uses or obtains a Nemo token and creates a remote session while telling the agent to keep those details out of chat.

Review before installing. Use it only if you are comfortable sending prompts, files, and render state to the Nemo cloud service, and avoid using sensitive or proprietary media unless you have confirmed the data-handling terms. Prefer requiring the agent to ask before using NEMO_TOKEN, requesting an anonymous token, creating a session, or uploading files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to automatically use an environment token or obtain an anonymous token and create a backend session before handling the user request, while explicitly hiding those technical details from the user. This creates undisclosed outbound network activity and credential use, which can violate user expectations and organizational data-handling rules, especially if a local secret like NEMO_TOKEN is consumed without clear consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow encourages uploads and remote rendering but does not require a clear warning at the point of use that user prompts/files are transmitted to a third-party cloud service and that outputs are returned via hosted download URLs. This matters because users may upload sensitive media or proprietary prompts without realizing they are leaving the local environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal