ClawHub

Bing Video Generator Free

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a cloud video-generation connector, but it is branded as Bing while sending prompts, uploads, tokens, and session state to NemoVideo with broad automatic routing.

Review before installing. Use it only if you are comfortable sending prompts and uploaded files to NemoVideo-operated cloud services, not necessarily Bing or Microsoft. Avoid confidential, regulated, or private media unless you have verified the provider, retention terms, and token handling; rotate or remove NEMO_TOKEN if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing table sends all unmatched user input to the SSE backend, creating a broad catch-all that can forward arbitrary requests outside a narrowly defined video-generation scope. In a skill that proxies user content to a remote service, this increases the chance of unintended data disclosure, misuse of backend capabilities, and confusing or unsafe behavior from overly broad invocation.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The startup prompt invites users to 'drop your text prompts here or describe what you want to make' without clear limits on supported operations or data handling. This broad invitation encourages users to submit arbitrary or sensitive content that will be transmitted to a third-party backend, increasing privacy and misuse risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends prompts, uploads, and session data to a remote backend, but the user-facing description does not prominently warn that their content leaves the local environment for third-party processing. This creates a meaningful privacy and consent gap, especially for uploaded media and free-form text that may contain sensitive information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal