ClawHub

Ai No Generator

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-generation skill that discloses its NemoVideo API use, token/session setup, and media uploads, with privacy caveats but no evidence of hidden or destructive behavior.

Install this only if you are comfortable with a cloud service creating an anonymous NemoVideo session and processing the clips, prompts, and draft state you provide. Avoid uploading sensitive or private media unless you trust the provider’s handling and retention practices, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation examples are very broad and include common phrases, making accidental activation more likely. In this skill, unintended activation can trigger backend connection, token acquisition, and remote processing of user content, so the risk is not just UX confusion but unanticipated network actions and data transfer.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The catch-all routing sends nearly all unmatched requests to the SSE/chat action, which is overly permissive. Because the SSE path can cause edits, stateful operations, and external API requests, ambiguous user input may be misinterpreted as authorization to process or upload media.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs automatic backend connection and anonymous token creation on first open without explicit user notice or consent. This creates a remote account/session and transmits identifiers to a third-party service before the user has clearly agreed, which is a privacy and consent problem.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal