ClawHub

Ai Effect Video Generator Free

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-effects skill that does what it claims, but users should understand that uploaded media and prompts are sent to NemoVideo for processing.

Install only if you are comfortable sending selected videos, images, audio, prompts, and render state to NemoVideo's cloud API. Avoid sensitive personal or confidential media unless you trust that provider's privacy and retention practices, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing table sends any unmatched user input to the SSE backend, which creates an overly broad activation surface and makes accidental invocation likely. In a skill that can upload media, create remote sessions, and trigger cloud-side processing, this increases the chance that unrelated user text is forwarded to a third-party service without clear user intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The getting-started prompt uses broad natural language such as 'Send it over and tell me what you need,' which overlaps with ordinary conversation and does not clearly constrain when the skill should activate. Because the skill performs external API calls and handles user media, ambiguous invocation can cause unintended data disclosure or processing on a remote service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes a cloud render pipeline, remote sessions, and downloadable outputs, but it does not prominently warn users up front that uploaded videos and editing instructions are transmitted to and processed by a third-party service. For personal phone clips, this can expose sensitive visual, audio, location, or biometric information without informed consent, especially since sessions and render jobs may persist remotely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal