ClawHub

AI Video Generation

Security checks across malware telemetry and agentic risk

Overview

This is a transparent AI video generation guide that uses expected third-party provider APIs and local preference files, with privacy considerations users should review.

Install this if you intend to use AI video providers and are comfortable sending prompts or reference media to the providers you choose. Avoid saving sensitive project details in ~/video-generation/memory.md, review or delete that file periodically, keep API keys in environment variables rather than chat or project files, and set spend limits on provider accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
87% confidence
Finding
The template explicitly instructs the agent to create a persistent memory file containing user preferences, project context, and prior working recipes, but it does not include any user-facing notice, consent step, retention limit, or guidance on avoiding sensitive data storage. While this appears intended for convenience rather than abuse, persistent storage of behavioral and project data can create privacy and data-minimization risks if users are unaware it is being retained across sessions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup instructs the agent to create a persistent local workspace and copy a memory file into it, but it does not explicitly warn the user that session-derived information may be stored on disk. This creates a privacy and consent risk because user preferences, prompts, and workflow history could be retained unexpectedly across sessions or exposed to other local users/processes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to update memory after meaningful sessions with model preferences, prompt patterns, and cost/latency behavior, but it does not notify the user that this information will be persisted. Even if not highly sensitive by default, accumulated usage history can reveal habits, priorities, project details, or commercially sensitive workflow information over time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal