ClawHub

Video Ai Generator Free Credits

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-generation skill, but it sends prompts and uploaded media to NemoVideo and uses a service token/session.

Install only if you are comfortable sending video, images, audio, URLs, prompts, and generated project state to mega-api-prod.nemovideo.ai for cloud processing. Do not use sensitive or proprietary media unless you trust the provider, and prefer an intentionally scoped token or disposable anonymous token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly declares it requires the NEMO_TOKEN environment variable and access to a local config path, which expands its reach beyond simple prompt-to-video functionality into credential discovery and use. Even if intended for convenience, instructing an agent to read local credentials/config introduces unnecessary secret handling and increases the risk of token exposure or misuse.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to mint anonymous tokens that grant 100 credits and 7-day access, a material capability not surfaced in the user-facing description. This encourages use of free/anonymous account resources without clear consent or policy context and can facilitate abuse of third-party service quotas under ephemeral identities.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The invocation guidance uses generic phrases like 'generate my video clips or images' and 'export 1080p MP4', which are broad enough to match normal conversation and trigger the skill unexpectedly. Overbroad activation can cause unintended API calls, setup steps, or media handling when the user did not mean to invoke this particular skill.

Vague Triggers

High
Confidence
98% confidence
Finding
The routing table sends 'Everything else' to the SSE action, effectively making the skill a catch-all for arbitrary user input. In context, that is especially risky because the fallback path can initiate backend interactions and process user instructions without a bounded scope, increasing the chance of accidental invocation, data transmission, and unintended third-party actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill asks users to share video clips or images and later specifies upload to a cloud API, but it does not clearly warn users that their media will be transmitted to an external service. This creates a privacy and consent issue, particularly for sensitive or proprietary media, because users may believe processing is local or may not understand where their files are going.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal