ClawHub

Free Generation Maker

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-generation skill whose network, token, upload, and rendering behavior is disclosed and aligned with its purpose, though users should avoid sending sensitive prompts or media.

Install only if you are comfortable sending video prompts, uploaded media, and session/authentication data to nemovideo.ai. Use explicit video-generation requests, avoid private or sensitive files, and keep any NEMO_TOKEN value private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation examples are overly broad and generic, such as 'generate my text prompts' and 'export 1080p MP4', which can match ordinary user conversation and cause the skill to activate unexpectedly. In a skill that automatically connects to a backend and may obtain authentication tokens, accidental activation increases the chance of unintentional data transmission and backend actions without clear user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing rule 'Everything else' sends all remaining inputs to the SSE action, which is an ambiguous catch-all that can capture unrelated conversation. Because this path forwards user messages to a remote service, it creates a prompt-injection-style overreach where non-video-related content may be transmitted externally or trigger unintended operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill text describes cloud GPU processing and uploads but does not present a clear, front-loaded warning that user prompts and uploaded media are sent to a third-party cloud backend. This weakens informed consent and can expose sensitive text, images, audio, or video to an external service without the user fully realizing it.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill automatically acquires an anonymous token, stores it, and creates persistent sessions, but it does not clearly warn users that authentication credentials will be obtained and reused for ongoing API access. This is dangerous because hidden credential handling and session persistence can surprise users, obscure the scope of backend access, and increase the blast radius of accidental activation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal