ClawHub

Brainrot Video Maker Free

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-editing integration, so its token use, uploads, and rendering API calls fit its stated purpose, but users should know their media leaves the local environment.

Install only if you are comfortable sending uploaded clips, edit prompts, session identifiers, and basic platform attribution to NemoVideo's remote service. Avoid private, confidential, or rights-sensitive footage unless you trust that service's privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The startup prompt 'Share your video clips and I'll get started...' is broad enough that ordinary conversation or generic file-sharing can invoke the skill without the user clearly intending to use this remote video service. Because the skill uploads user media and prompts to a third-party backend and may auto-authenticate, accidental invocation can lead to unintended disclosure of private files and requests.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Example triggers such as 'create my video clips' and 'export 1080p MP4' are generic commands that overlap with many benign editing conversations. In this skill, such vague phrasing can cause ambiguous routing into a workflow that contacts a remote API, creates sessions, and processes user media off-platform.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells users to drop clips in chat and promises cloud processing, but it does not clearly warn that uploaded media and prompts are transmitted to a remote backend service. This omission undermines informed consent and increases the risk of users sharing sensitive or copyrighted media without realizing it leaves the local environment.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill can source authentication from the NEMO_TOKEN environment or automatically obtain an anonymous token, but this behavior is not clearly disclosed to users. Hidden credential sourcing and automatic token generation can surprise users, consume account resources, and obscure which identity is being used for remote operations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal