ClawHub

Text To Video Bangla Free

Security checks across malware telemetry and agentic risk

Overview

This is a real text-to-video connector, but it can automatically create a remote NemoVideo session and send broad prompts, files, or URLs to that service with weak user-facing disclosure.

Review before installing. Use this skill only for scripts and links you are comfortable sending to NemoVideo's servers, prefer a NEMO_TOKEN you control, and confirm before uploads, URL ingestion, exports, or broad edit requests. Avoid confidential, regulated, or private documents unless the publisher provides acceptable privacy and deletion terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill is instructed to mint and use anonymous backend tokens whenever no user token is present, which gives it account/bootstrap capability beyond a narrow text-to-video wrapper. This can enable unprompted creation and use of third-party service access, consume remote resources under anonymously issued credentials, and obscure consent and accountability for backend actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Supporting remote URL uploads broadens the skill from local file processing to fetching arbitrary third-party resources, which increases the attack surface and data-handling risk. It may be abused to retrieve unexpected content, interact with internal or sensitive URLs if execution environments permit, or transmit user-supplied links to the backend without clear user understanding.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation examples are generic phrases like "export" and "convert my text script," which can overlap with ordinary conversation and increase the chance of accidental activation. Over-broad triggering is dangerous here because activation leads to remote API session establishment and potential content transmission without sufficiently specific user intent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing logic includes a catch-all rule sending "Everything else" to the SSE backend, effectively treating most unmatched user input as actionable video-editing instructions. This can cause unintended remote processing, broaden activation far beyond the stated purpose, and make it difficult for users to predict when their content will be sent to the external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to connect to a remote backend, create sessions, and potentially obtain tokens, but it does not clearly warn users that uploaded scripts and prompts will be transmitted to an external service. This lack of disclosure undermines informed consent and increases privacy and compliance risk, especially for potentially sensitive documents.

Natural-Language Policy Violations

Medium
Confidence
71% confidence
Finding
Hard-coding the session language to English without user choice is primarily a consent and transparency issue rather than a direct security flaw, but it can alter backend behavior in ways the user did not request. In a Bangla-focused skill, this mismatch may lead to unexpected processing or leakage of user intent through unnecessary language normalization.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal