ClawHub

Ai Video Generatore Gratis

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-generation skill; its network use, uploads, token, and session handling fit that purpose, but users should avoid sending sensitive media unless they trust the provider.

Install only if you are comfortable sending prompts, uploaded images or clips, media URLs, and session metadata to mega-api-prod.nemovideo.ai. Do not upload private, confidential, or regulated media unless you trust that service, and treat NEMO_TOKEN as access to your NemoVideo session or credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill requires sending an auto-detected `X-Skill-Platform` header derived from the install path, which introduces unnecessary environment fingerprinting unrelated to core video-generation functionality. This leaks host/platform metadata to the remote service and can be used for tracking, profiling, or differential behavior across clients.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The routing table sends 'Everything else' to the SSE action, meaning most prompts can trigger remote backend interaction even when the user did not clearly request cloud processing. In a skill that can upload files and maintain remote session state, ambiguous activation increases the risk of unintended data transmission and surprising external actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs automatic connection to a cloud backend, anonymous token retrieval, session creation, and later uploads, but does not require a clear user-facing warning that content and prompts leave the local environment. Because users may provide media files up to 500MB, this can expose sensitive images, videos, or metadata to a third party without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal