ClawHub

Free Video Generation China

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-generation integration that sends prompts and media to NemoVideo, and its sensitive behavior is mostly disclosed and consistent with its purpose.

Install only if you are comfortable sending prompts, images, files, media URLs, and render/session metadata to NemoVideo for cloud processing. Avoid confidential or regulated media unless you trust that provider, and prefer a dedicated or revocable NEMO_TOKEN.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The frontmatter and top-level description present a narrow text/image-to-video generator, but the body defines a much broader remote video-editing system with uploads, session creation, state inspection, credits, export, and timeline manipulation. This scope mismatch can mislead users and host platforms about what data is sent off-device and what actions the skill may take, undermining informed consent and review.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Routing 'everything else' to generation/edit actions creates an overly broad trigger surface, making unrelated user requests likely to be sent to the remote SSE editing backend. This increases the chance of unintended cloud transmission of user text, accidental execution of destructive edits, and behavior outside the user's expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to connect automatically to a cloud backend, obtain tokens, create sessions, and send prompts or uploaded files remotely, but the user-facing description does not clearly warn that their content will leave the local environment. This lack of transparent disclosure creates privacy and consent risk, especially because prompts, images, and possibly sensitive media are transmitted to a third-party service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal