ClawHub

Paid Content Generator Free

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent cloud video-generation connector, but users should understand that prompts and selected files go to NemoVideo and that it creates a remote session automatically.

Install only if you are comfortable sending prompts, product briefs, media files, and render metadata to NemoVideo's cloud backend. Avoid sensitive or proprietary material unless you have reviewed that provider's terms, and treat NEMO_TOKEN like a credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill directs the agent to silently mint anonymous tokens and create backend sessions on the user's behalf. Although this supports the advertised video-generation workflow, it is still a security-relevant capability because it performs remote authentication/session establishment without an explicit user consent step or clear disclosure, which can normalize hidden account or quota consumption and create opaque linkage between user prompts and third-party services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill tells the agent to connect automatically, obtain or reuse tokens, and establish sessions, but does not present a clear upfront warning that user prompts/files will be transmitted to a remote third-party service. In a content-generation skill that may receive product briefs, media, or other sensitive marketing materials, this lack of disclosure materially increases privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal