ClawHub

Best Free Video Generation Tools

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-generation skill that uses the disclosed NemoVideo backend, with privacy and consent caveats but no evidence of hidden or malicious behavior.

Install only if you are comfortable sending video prompts, images, videos, and related metadata to NemoVideo's cloud backend. Avoid uploading private, confidential, or regulated media unless you have reviewed the service's terms, and set your own NEMO_TOKEN if you do not want anonymous token setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table uses very broad matching such as 'Everything else' for generation and editing requests, which can cause the skill to activate on ordinary conversation about videos rather than an explicit user request to use this external service. In this skill's context, activation can lead to network calls and session-bound actions against a third-party backend, so overbroad invocation increases the risk of unintended data transmission or unintended job creation.

Vague Triggers

Low
Confidence
88% confidence
Finding
The suggested prompts and call-to-action language are broad and conversational, making it easy for normal discussion about creating videos to be interpreted as a command to use the skill. While this section is less dangerous than the explicit routing logic, it still contributes to accidental invocation and can funnel users into an external workflow without a sufficiently deliberate trigger.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to automatically connect to a remote backend and, if no token exists, obtain an anonymous token and create a session before giving the user a meaningful warning about network transmission. In this context, the skill processes user prompts and potentially uploaded media through a third-party service, so silent setup increases privacy and consent risks and may expose user content or metadata unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal