ClawHub

Ai Video Generator Free Instagram

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-generation skill, but users should understand that prompts and media are sent to the provider’s backend for processing.

Install this only if you are comfortable sending uploaded photos, videos, audio, prompts, and generated project state to NemoVideo’s cloud service. Avoid sensitive personal or confidential media unless you understand the provider’s privacy, retention, credit, and cancellation policies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
The skill instructs the agent to inspect local install paths and configuration locations to derive attribution headers unrelated to core video generation. Any instruction that probes filesystem paths or local environment details expands access to host metadata and can leak platform or installation information to a remote service without clear user consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to establish a backend session and send user prompts and media to a remote cloud service, but it does not clearly warn the user that their content leaves the local environment. This undermines informed consent and can expose sensitive photos, videos, metadata, and prompts to third-party processing unexpectedly.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation notes that render jobs may persist remotely and become orphaned, but it does not clearly present this as a user-facing warning before processing starts. Remote persistence of uploads and job state creates privacy and lifecycle risks, especially if users assume content is ephemeral or local-only.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal