ClawHub

Free Video Generator Hd

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-generation skill with disclosed remote API use and token-based setup, but users should understand that prompts and uploaded media go to a third-party service.

Install only if you are comfortable with this skill contacting mega-api-prod.nemovideo.ai, using or creating a NEMO_TOKEN, and sending your prompts, uploaded files, or supplied media URLs to that service for rendering. Avoid confidential media unless you trust the provider's privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest and description narrowly advertise JPG, PNG, MP4, and MOV uploads up to 200MB, but the body later documents many more file types and URL-based ingestion. This mismatch can mislead users and host platforms about the real data exposure surface, especially because remote URL fetches and extra media types introduce additional network and content-processing risk not disclosed up front.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The suggested invocation 'generate my text or images' is extremely broad and can match ordinary user conversation rather than an intentional request to activate this external-network skill. Broad activation increases the chance of accidental routing, causing unintended uploads, session creation, or backend requests with user content.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example phrase 'generate a 30-second HD promo video' is generic enough to overlap with normal assistant requests, making accidental activation plausible. If the host routes such prompts directly into this skill, user content may be sent to a third-party backend without sufficiently explicit intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table sends 'Everything else' related to generate/edit/add BGM into the SSE action, creating an overly permissive catch-all activation path. In practice this can cause the skill to absorb a wide range of ordinary requests and transmit user prompts or files to the remote service with little boundary on scope.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to automatically connect to an external backend as soon as the user opens it, with only a minimal 'Setting up...' message. Automatic network activity without explicit prior notice or consent is risky because it can transmit metadata, create sessions, and begin external processing before the user meaningfully agrees.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The authentication flow checks for and uses `NEMO_TOKEN` from the environment, then silently falls back to obtaining a token, without a clear user-facing warning that credentials may be accessed and used. Accessing environment-provided secrets and third-party auth on behalf of the user is sensitive behavior that should be explicitly disclosed and consented to.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal