ClawHub

Ai Video Maker Free Gemini

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent cloud video/text generation helper, but it sends broad user prompts and uploads to NemoVideo with weak user-facing privacy notice and automatic session setup.

Install only if you are comfortable sending prompts and uploaded media to NemoVideo's cloud service. Avoid proprietary, personal, regulated, or confidential content unless you have reviewed NemoVideo's retention and deletion terms, and consider using a dedicated token/account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The routing table sends essentially all unmatched user input to the SSE generation action, which makes ordinary conversation likely to trigger remote processing and data transmission without clear user intent. In a skill that uploads prompts and possibly user media to a third-party API, this broad fallback increases the risk of unintended disclosure and unexpected external actions.

Vague Triggers

Low
Confidence
80% confidence
Finding
The opening prompt invites users to 'drop your text or prompts here' without clearly warning that input will be sent to an external processing API. Because the language is broad and conversational, users may provide sensitive text under the assumption they are only chatting locally, causing inadvertent disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description and workflow emphasize convenience but do not clearly warn that user prompts, uploaded media, and session state are transmitted to and stored by a third-party service. This is dangerous because users may share proprietary or sensitive content without informed consent, especially given the large supported file uploads and automatic setup behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal