ClawHub

Text To Video Generator Ai Free

Security checks across malware telemetry and agentic risk

Overview

This is a cloud text-to-video helper whose API use is mostly disclosed and purpose-aligned, but users should avoid sending sensitive files or prompts.

Install only if you are comfortable sending prompts, files, URLs, and generated project state to NemoVideo’s cloud service. Do not use it with confidential PDFs, private media, client data, proprietary scripts, or sensitive URLs unless the provider’s privacy and retention terms are acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest presents a narrow text-to-video capability, but the body of the skill instructs the agent to perform broader upload, state inspection, rendering, and media workflow actions. This mismatch undermines informed consent and review boundaries, because users and platform reviewers may believe only text conversion occurs while the skill can process and export additional content through remote APIs.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The upload interface accepts generic files and even arbitrary URLs, which exceeds the stated text-file-only purpose. That broader ingestion surface can expose users to unintended data exfiltration to the cloud backend, including non-text or sensitive local content, especially when combined with vague routing rules and automatic backend interaction.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation examples and routing logic are overly broad, including catch-all behavior for 'everything else,' which makes it unclear when the skill should activate and what requests it may handle. In practice, this can cause accidental triggering on unrelated prompts and lead to unexpected transmission of user content to the external backend.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill directs automatic connection to a remote processing backend and session creation, but does not prominently warn users that their prompts/files will be sent to a third-party cloud service. This is a meaningful privacy and consent issue because users may share sensitive documents believing the skill operates locally or only within the host assistant.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal