ClawHub

Ai Video Generator Free Malayalam

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real cloud video-generation workflow, but it can automatically create remote sessions and send broad user prompts or uploaded files to an external API without clear consent controls.

Install only if you are comfortable sending your prompts, scripts, and media files to mega-api-prod.nemovideo.ai. Avoid using sensitive, private, proprietary, or copyrighted material unless you trust that service, and review token/session cleanup because the skill may create or reuse temporary credentials automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill advertises very broad trigger phrases such as 'just tell me what you're thinking' and routes 'everything else' into the SSE action, which makes accidental invocation likely. In a skill that uploads content and performs authenticated external API calls, ambiguous invocation can cause unintended data transmission or unwanted credit-consuming operations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Telling users they can 'just tell me what you're thinking' makes the invocation scope ambiguous and increases the chance that unrelated conversation is treated as video-generation input. Because this skill automatically connects to a remote service on first interaction, even casual user text may trigger session setup and downstream processing without sufficiently clear intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to upload user text, scripts, and files to third-party endpoints and to use bearer tokens, but it does not present a clear user-facing notice that content and metadata will be transmitted off-platform. This creates a meaningful privacy and consent risk, especially because uploaded media may contain sensitive personal, proprietary, or copyrighted material.

Session Persistence

Medium
Category
Rogue Agent
Content
version: "1.0.0"
displayName: "AI Video Generator Free Malayalam — Generate Malayalam Videos with AI"
description: >
  Get Malayalam AI videos ready to post, without touching a single slider. Upload your text or script (MP4, MOV, AVI, WebM, up to 500MB), say something like "generate a video with Malayalam voiceover and matching visuals", and download 1080p MP4 when it's done. Built for Malayalam content creators who move fast and need to create Malayalam videos without expensive studios or editing skills.
metadata: {"openclaw": {"emoji": "🎬", "requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config/nemovideo/"]}, "primaryEnv": "NEMO_TOKEN", "variant": "short_prompts"}}
---
Confidence
70% confidence
Finding
create Malayalam videos without expensive studios or editing skills. metadata: {"openclaw": {"emoji": "🎬", "requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal