ClawHub

Free Video Ai No Copyright

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should understand that prompts and media may be sent to NemoVideo's remote service.

Install only if you are comfortable sending video files, prompts, and render metadata to mega-api-prod.nemovideo.ai. Keep NEMO_TOKEN private, avoid sensitive or proprietary media unless you trust the provider, and independently verify any copyright-free or royalty-free claims before publishing outputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing rule sends 'Everything else' to the SSE action, effectively making this skill a catch-all for a wide range of ordinary user prompts. That broad trigger surface can cause unintended activation, silent data transfer to the external video service, and prompt interception of requests the user did not intend for this skill.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example phrase 'create my video clips' is generic and overlaps with normal conversation, which increases the chance of accidental skill activation. In a skill that immediately connects to remote APIs and may process user media, vague triggers expand the attack surface and reduce informed user consent.

Vague Triggers

Low
Confidence
86% confidence
Finding
The suggested invocation is not sufficiently specific, which can blur the boundary between normal chat and tool use. While not directly exploitable on its own, it contributes to accidental routing into a skill that performs networked actions and handles user files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal