ClawHub

Meta Ai Video Generator Free

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-generation helper that sends chosen media and prompts to a third-party backend, which matches its stated purpose.

Install only if you are comfortable sending selected images, videos, prompts, and related metadata to nemovideo.ai for cloud processing. Use it for explicit video-generation tasks, avoid sensitive or proprietary media unless you trust the provider, and review how NEMO_TOKEN and any local nemovideo configuration are handled in your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation examples are extremely generic (for example, 'export 1080p MP4' and 'generate my images or clips'), making it plausible that unrelated user requests could accidentally trigger this skill. Because the skill handles file uploads and remote processing, accidental activation could cause users to send media or prompts to a third-party backend without clear intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table contains a catch-all rule that sends 'Everything else' to the SSE action, which effectively treats most unmatched prompts as instructions for the remote backend. This broad trigger scope increases the risk of misrouting unrelated user input, causing unintended disclosure of prompts or media to an external service and triggering remote actions without sufficiently specific user consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Although the document later mentions server-side rendering, the user-facing description and getting-started flow do not prominently warn that uploaded files, prompts, session state, and exports are sent to and processed by a remote cloud backend. For a media-processing skill handling potentially sensitive user content, insufficient upfront disclosure creates a privacy and consent risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal