ClawHub

Free Video Generation Comfyui

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-generation skill that sends prompts and selected media to a third-party service, which is expected for its stated purpose but needs normal privacy caution.

Install only if you are comfortable sending prompts, uploaded media, URLs, and generated project state to the Nemovideo cloud service. Avoid private or sensitive media unless you trust that provider, use a limited NEMO_TOKEN or anonymous token where possible, and confirm ambiguous requests before letting the skill send them as generation or editing commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest markets the skill as simple text/image-to-video generation, but the body documents a substantially broader remote media-editing pipeline including uploads, session inspection, credits queries, and export orchestration. This capability mismatch can mislead users and reviewers about what data is sent off-device and what operations the skill may perform, reducing informed consent and increasing the chance of unintended data exposure.

Context-Inappropriate Capability

Low
Confidence
75% confidence
Finding
The skill metadata and instructions reference local configuration paths and runtime detection of the user's install path/platform, which goes beyond what is necessary for generating AI videos from prompts. Even if used for attribution, probing local paths reveals host-environment details and can normalize unnecessary access to local filesystem context.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Routing nearly any unmatched request to the SSE-backed generation/editing action creates an overly permissive trigger surface. In practice, unrelated user input could be forwarded to the external service, causing unintended remote processing or data disclosure without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill performs automatic authentication and session creation against a third-party cloud API before doing anything else, without prominently warning the user that their prompts and subsequent content will be processed remotely. This undermines informed consent and may expose user data or metadata to an external provider unexpectedly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The upload/export workflow clearly sends user-provided files to remote servers, yet the skill does not provide an explicit privacy warning or obtain consent before transfer. Because the supported inputs include media files that may contain sensitive visual, audio, or embedded metadata, silent upload to a third-party service creates meaningful confidentiality risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal