ClawHub

Free Video Generation From Ai

Security checks across malware telemetry and agentic risk

Overview

This is a cloud-backed video/text generation skill whose network, token, upload, and rendering behavior mostly matches its stated purpose, but users should be aware their prompts and files go to Nemovideo.

Install only if you are comfortable sending prompts and any uploaded media/documents to Nemovideo’s cloud service. Use a dedicated NEMO_TOKEN if available, avoid sensitive files, and confirm intent before using the skill on ambiguous generation or editing requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example invocations are overly broad and include generic phrases such as "generate my text prompts," which could match normal conversation and trigger the skill unintentionally. Because this skill automatically connects to a remote backend and may transmit user prompts or files, accidental activation increases privacy and consent risk.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The routing logic uses a catch-all rule that sends "Everything else" to the SSE action, effectively treating most unmatched input as permission to contact the backend. In this skill, that is especially risky because the SSE path can transmit arbitrary user text to an external service, making accidental data disclosure and unintended remote actions more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explains cloud rendering and upload behavior in technical sections, but it does not give a clear upfront warning that user prompts and uploaded files are sent to a third-party cloud backend. Since the skill handles potentially sensitive creative assets and text, lack of prominent disclosure undermines informed consent and may expose private data unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal