ClawHub

Free Video Generation Tools Online

Security checks across malware telemetry and agentic risk

Overview

This skill coherently provides cloud video generation, but users should understand that prompts and media go to NemoVideo’s remote service.

Install only if you are comfortable sending your prompts, uploaded clips, images, audio, URLs, and related session data to NemoVideo for cloud processing. Avoid confidential media unless you have reviewed the provider’s privacy, retention, credit, and export terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation text is broad enough that ordinary user requests about videos or descriptions could unintentionally activate the skill. Because the skill automatically connects to a third-party backend and may transmit prompts or uploaded media, accidental invocation can cause unintended data disclosure and backend actions without clear user intent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The catch-all rule routes 'everything else' to the SSE generation/edit path, which is overly permissive and can send arbitrary user text to the backend even when the user did not clearly request video generation. In this skill, that broad routing is more dangerous because the default action initiates remote processing and can expose sensitive prompts or files to an external service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill encourages users to drop prompts or media in chat but does not clearly warn that those inputs are transmitted to a cloud backend for processing. This creates a privacy and consent risk, especially for uploaded videos or scripts that may contain sensitive or proprietary material.

Natural-Language Policy Violations

Medium
Confidence
85% confidence
Finding
Hardcoding the session language to English without user choice can cause unintended translation, misinterpretation of prompts, or loss of meaning for non-English users. While not a classic security flaw, it can undermine user intent and increase the chance that sensitive or regulated content is processed inaccurately by the backend.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal