ClawHub

Ai Video Generator Free Chat

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can automatically connect to a third-party video service and route broad user messages or media into that service without a tight confirmation boundary.

Install only if you are comfortable sending video prompts, uploaded media, and session/render data to NemoVideo's cloud API. Avoid private or rights-sensitive media, keep NEMO_TOKEN private, and ask the agent to confirm before connecting, uploading files, generating, or exporting so credits and data are not used unexpectedly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill encourages activation from very generic phrases like sharing prompts or saying what the user is thinking, which can cause the agent to invoke the skill during ordinary conversation rather than after clear user intent. In this skill, accidental activation is more dangerous because first interaction triggers automatic setup and remote API connection, potentially sending user prompts to a third-party cloud service without an explicit, narrow invocation boundary.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table sends 'Everything else' to the SSE generation path, creating an extremely broad fallback that can treat unrelated user text as instructions for the remote backend. Because this skill is designed to forward messages into a cloud render/edit pipeline, ambiguous routing increases the chance of unintended data disclosure, unintended API use, and surprise charges or credit consumption.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill describes convenient video generation but does not clearly warn users that prompts, uploaded media, and session data are transmitted to a remote cloud service for processing. In this context, the omission is significant because the skill automatically connects to external endpoints and handles potentially sensitive creative assets, so users may disclose private data without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal