ClawHub

Ai Video Generator Free Invideo

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud video generation skill, but users should know it automatically contacts nemovideo.ai and can send prompts or uploaded media there.

Install only if you are comfortable with prompts, scripts, URLs, and uploaded media being processed by mega-api-prod.nemovideo.ai. Avoid confidential content, verify that you trust the backend provider despite the InVideo branding, and clear or rotate NEMO_TOKEN/session state if you do not want access to persist across uses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing table sends essentially all unmatched prompts to the SSE generation path, which can cause unintended external API calls and processing for ambiguous user input. In a skill that automatically authenticates and creates remote sessions, this broad trigger increases the chance of accidental data submission, unwanted credit consumption, and surprising behavior from loosely related prompts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically connect to an external API and obtain a token on first interaction before doing anything else, without explicit informed consent. This creates a privacy and security risk because user interaction can silently trigger account/session creation and credential handling with a third-party service, even when the user has not clearly agreed to external processing.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal