ClawHub

Free Text To Video Api

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real cloud video-generation skill, but it needs review because broad prompts can send user text or uploads to NemoVideo without a clear confirmation step.

Install only if you are comfortable sending prompts, uploaded files, media URLs, and render-session data to nemovideo.ai. Use explicit video-generation requests, avoid private or sensitive business content, and confirm before uploads, exports, or credit-consuming actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation examples are extremely broad phrases like 'export' or 'convert my text prompts,' which can collide with normal user conversation and trigger external API actions unexpectedly. In a skill that uploads content and creates cloud sessions, ambiguous activation increases the chance of unintentional data transmission or unintended billable operations.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The catch-all routing rule sends 'Everything else' to the SSE editing path, effectively treating nearly any unmatched utterance as a command to a remote backend. This creates an overly broad activation surface that can cause accidental prompt forwarding, unintended state changes, or unexpected consumption of credits.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill initiates a cloud session and sends prompts and possibly uploaded files to a remote service, but the user-facing setup text does not clearly warn that their content leaves the local environment. This weakens informed consent and can expose sensitive business text, media, or personal data to a third-party backend without a sufficiently prominent disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal