ClawHub

Video Generator Free Open Source

Security checks across malware telemetry and agentic risk

Overview

This is a real remote video-generation skill, but it is too broad about when it starts and what user text it sends to the external service.

Install only if you are comfortable with prompts and uploaded images, audio, or video being sent to mega-api-prod.nemovideo.ai. Avoid sensitive or proprietary media, and prefer explicit use of the skill for video tasks rather than letting ordinary conversation be routed into it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill encourages activation on very broad phrases like sharing prompts, images, or even vague intent such as 'tell me what you're thinking.' This creates a realistic risk of accidental invocation during ordinary conversation, which is especially problematic because activation immediately leads into remote setup and API interaction.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The routing table sends 'everything else' to the SSE action, making the skill a catch-all for most user input once engaged. That broad boundary can misclassify unrelated user text as generation/edit instructions and forward potentially sensitive or unintended content to the remote backend.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to automatically connect to a remote service and, if needed, obtain an anonymous token before doing anything else, without a clear upfront consent step. This means user prompts or uploaded media may be transmitted off-platform automatically, creating privacy, data handling, and unexpected network access risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal