ClawHub

Vivideo Ai Video Generator

Security checks across malware telemetry and agentic risk

Overview

This video generator appears purpose-aligned, but it should be reviewed because broad prompts can trigger automatic third-party cloud processing of user text and media.

Install only if you are comfortable sending selected prompts, images, videos, and related session metadata to the Nemo/Vivideo backend. Prefer using explicit Vivideo commands, avoid confidential or regulated media, and confirm before any upload or generation request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation examples and startup language are broad enough to trigger on ordinary phrases like 'generate', 'export', or generic sharing of text/images, which can cause the skill to activate when the user did not clearly intend to use this third-party video service. In this skill, unintended activation is more risky because activation can lead to automatic backend connection and eventual transmission of user content to a cloud API.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The routing table contains a catch-all rule ('Everything else') that maps a very wide range of ordinary editing language to the SSE action. That makes activation ambiguous and can silently route unrelated user requests into a remote processing workflow, increasing the chance of unintended data disclosure or external actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Although the file later describes a cloud rendering pipeline, the user-facing description and activation flow do not clearly warn at the point of use that uploaded files, prompts, and session data are sent to a third-party cloud backend. For a media tool handling potentially sensitive images and videos, lack of upfront disclosure undermines informed consent and increases privacy risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal