ClawHub

Online Pika Ai Video

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-generation skill that sends prompts and uploaded media to a remote rendering API, with no evidence of hidden code or malicious behavior.

Install only if you are comfortable sending images, videos, prompts, URLs, and project state to the NemoVideo cloud API. Avoid sensitive or regulated media, treat NEMO_TOKEN as a secret, and use explicit generation or upload requests so the skill is not invoked accidentally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
Routing 'everything else' to the generation/SSE action creates an overly broad activation surface, so unrelated or ambiguous user messages may trigger remote processing unexpectedly. In this skill, that means arbitrary prompts and potentially sensitive media-editing requests can be sent to a third-party backend without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The opening prompt encourages activation from vague, everyday phrasing such as 'tell me what you're thinking,' which increases the chance that the skill engages when the user did not intend to start a remote media workflow. Because this skill uploads media and sends prompts to an external service, accidental activation raises privacy and consent concerns.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill processes user prompts and uploaded media through third-party remote APIs, yet the description does not prominently warn users before data leaves the local environment. This is dangerous because users may share sensitive images, video, or personal content without informed consent about external transmission and server-side processing.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal