ClawHub

Ai Video Maker Renderforest

Security checks across malware telemetry and agentic risk

Overview

This cloud video skill appears functional, but it is branded as Renderforest while sending prompts, media, credentials, and render jobs to Nemovideo endpoints, which users should review before installing.

Treat this as a Nemovideo-backed cloud video service, not necessarily an official Renderforest integration. Install only if you are comfortable sending prompts and uploaded media to that provider, protect any NEMO_TOKEN, and require confirmation before uploads, exports, or credit-consuming actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The getting-started prompt invites very generic requests like sending text or images and vague descriptions, which can cause the skill to activate on ordinary user messages not clearly intended for this integration. Because the skill automatically connects to a remote API and can upload user-provided media, accidental invocation can lead to unintended third-party data disclosure and unnecessary token/session creation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing rule sends 'Everything else' to the SSE action, creating an extremely broad catch-all trigger surface. In practice, many unrelated editing or media-related prompts could be forwarded to the third-party backend, increasing the chance of accidental external transmission of user content and unintended API-side actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill mentions that rendering happens server-side, but it does not prominently warn users that uploaded files and prompts are sent to a third-party API service. Users may share sensitive media, audio, or text without understanding the external data transfer, which is especially important here because uploads can include personal or proprietary files up to 200MB.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal