ClawHub

Video Generative Ai

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-generation helper, but users should understand that prompts, uploaded media, and session data go to NemoVideo’s servers.

Install only if you are comfortable sending video prompts, uploaded media, URLs, and related session data to NemoVideo’s cloud backend. Use non-sensitive media first, prefer an ephemeral or limited token, and invoke the skill only when you clearly intend to generate or edit a video.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad enough to activate this skill from ordinary conversation, which can cause unintended routing of user prompts and accidental transmission of prompts or files to the remote video backend. In a skill that uploads user media and creates remote sessions, overbroad activation increases the chance of privacy-impacting misfires rather than being a harmless UX issue.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The catch-all rule routes nearly everything not matched earlier into SSE generation/editing, which makes accidental invocation highly likely. Because that path sends user text to a cloud service and can mutate session state, ambiguous routing materially increases the risk of unintended data disclosure and unauthorized actions on behalf of the user.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill description notes that rendering happens server-side, but it does not present a prominent user-facing warning that uploaded media, prompts, and possibly URLs are transmitted to a third-party cloud backend for processing. For a media-handling skill, insufficient disclosure can cause users to share sensitive content without informed consent, creating privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal