ClawHub

Ai Video Generator Free Girl

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-generation connector, but users should know their prompts and uploaded media are sent to nemovideo.ai.

Install only if you are comfortable sending selected prompts, images, audio, or video files to nemovideo.ai for processing. Avoid private, regulated, or non-consensual media unless you trust the provider, and treat NEMO_TOKEN as a service credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to infer the host platform from the install path and transmit it on every request, which collects environment metadata unrelated to the user's core goal of generating videos. Install-path-derived platform detection can expose unnecessary host context and increases fingerprinting/privacy risk, especially when combined with persistent session identifiers and cloud uploads.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The routing rule sends 'everything else' to the SSE backend, creating an overly broad invocation surface that can forward unintended user input to a remote service. This ambiguity raises the risk of accidental data exfiltration, surprising activation, and unsafe handling of prompts unrelated to video generation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages users to upload files and prompts to a cloud backend but does not provide a clear upfront warning that their data will be transmitted off-device for remote processing. This undermines informed consent and can expose sensitive media, metadata, or text prompts without adequate disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal