ClawHub

Video Generator Free No Limits

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real cloud video-generation skill, but it can automatically create a third-party session and send broad user prompts or media to NemoVideo while advertising “free no limits” despite documented credits and upgrade limits.

Review before installing. Expect this skill to contact NemoVideo automatically and send prompts and selected media to NemoVideo cloud endpoints. Do not use it with confidential content unless you trust that provider, and verify actual pricing, credits, export limits, and account requirements because the skill’s “free no limits” marketing conflicts with its own documented limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are extremely broad and generic, such as 'generate my text or images' and 'export 1080p MP4', which can cause the skill to activate in conversations that are not clearly intended to use this specific tool. Because this skill performs automatic setup and external API session creation on first interaction, unintended activation can lead to unsolicited network calls, token creation, and processing of user-provided content without sufficiently explicit consent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The routing table sends 'Everything else' to the SSE generation/edit path, creating a catch-all behavior that can interpret unrelated user text as instructions for this backend. In this skill, that is more dangerous because the catch-all path can forward arbitrary user content to a remote service and potentially initiate edits or processing actions with minimal intent verification.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal