ClawHub

Ai Video Generator Free Hugging

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud AI video-generation skill, but it sends prompts and uploaded media to NemoVideo and should be used intentionally.

Install only if you are comfortable with NemoVideo receiving your prompts, uploaded files, generated media state, and related metadata. Avoid confidential or sensitive media, use a dedicated token where possible, and ask the agent to confirm before uploads, exports, or credit-consuming actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The suggested trigger phrases are extremely generic and overlap with normal conversation, making accidental invocation plausible. In this skill, accidental activation is more concerning because first interaction automatically contacts an external API and may initiate token/session creation without a clearly informed user action.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The catch-all rule routes 'Everything else' to the SSE backend, which creates an overly broad execution surface for arbitrary user input. Because SSE requests send user text to a cloud service, ambiguous routing can cause unintended external data transmission and backend actions from ordinary editing or conversational requests.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes upload and generation behavior but does not prominently warn users that their prompts, files, and media are sent to a third-party cloud API for processing. This weakens informed consent and increases privacy risk, especially since uploaded media may contain sensitive personal or proprietary content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically obtain an anonymous token and create a remote session on first interaction, but it does not warn the user that external services will be contacted immediately. Automatic network activity without explicit disclosure or consent is dangerous because it can surprise users, leak metadata, and create accounts/sessions they did not knowingly request.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal