ClawHub

Meme Video Generator Free

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal cloud meme-video generator, but uploaded media and prompts are sent to NemoVideo for processing.

Install only if you are comfortable sending selected media, editing prompts, and project metadata to NemoVideo's cloud service. Avoid private or confidential files, and ask the agent to confirm before uploads, generation, or export if you want tighter control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The suggested trigger phrases are extremely generic (for example, 'turn this image into a meme' and similar broad prompts), which increases the chance the skill activates during ordinary conversation or while a user is discussing media generally. In a skill that uploads user files and sends prompts to a remote backend, accidental invocation can lead to unintended data transfer and actions the user did not explicitly consent to.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The routing table sends 'Everything else' to the SSE action, creating an unconstrained catch-all that may forward arbitrary user text to the backend. Because this skill performs remote processing and may interpret normal conversation as editing instructions, the rule materially raises the risk of unintended external disclosure and backend-side actions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill states that rendering happens server-side, but it does not clearly warn users that uploaded files and prompt contents are transmitted to a third-party remote backend for processing. Given the skill handles media uploads and free-form prompts, lack of explicit disclosure undermines informed consent and may expose sensitive personal content unexpectedly.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The session creation body hard-codes 'language':'en' without checking the user's language or obtaining consent, which can mis-handle user inputs, produce incorrect processing, or cause unintended prompt translation/interpretation. While not typically a direct security exploit, it can degrade user control and create privacy or integrity issues if content is transformed or routed incorrectly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal