ClawHub

Story Video

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-creation skill whose token, session, upload, edit, and export behavior matches its stated purpose.

Install only if you are comfortable sending selected photos, videos, audio, URLs, prompts, and render state to NemoVideo cloud services. Do not use it with confidential, regulated, or highly private media unless you trust that provider's retention, deletion, account, and credit handling, and keep NEMO_TOKEN out of logs or shared chats.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation guidance is broad enough that ordinary conversation like sharing media or saying 'get started' could activate the skill and initiate cloud setup flows. In this skill, activation can lead to token acquisition, session creation, and eventual transmission of user media to a third-party backend, increasing the risk of unintended data disclosure or unwanted external actions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Example triggers such as 'create my images or clips' and 'export 1080p MP4' are vague and could match generic editing requests outside the user's intent to invoke this specific skill. Because the skill is connected to a cloud service and handles user media, accidental invocation could cause remote processing of sensitive files without sufficiently explicit consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill prominently encourages users to upload images, clips, and audio but does not clearly warn up front that prompts and media are sent to a cloud backend for processing. In a media-processing context, this can expose private photos, videos, voice notes, and metadata to a third-party service without informed user consent, making the omission materially risky.

Session Persistence

Medium
Category
Rogue Agent
Content
version: "1.0.0"
displayName: "Story Video — Turn Photos Into Story Videos"
description: >
  create images or clips into narrative story video with this skill. Works with MP4, MOV, JPG, PNG files up to 500MB. social media creators use it for turning photos and clips into a cohesive story video with music and transitions — processing takes 1-2 minutes on cloud GPUs and you get 1080p MP4 files.
metadata: {"openclaw": {"emoji": "🎬", "requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config/nemovideo/"]}, "primaryEnv": "NEMO_TOKEN", "variant": "short_prompts"}}
---
Confidence
84% confidence
Finding
create images or clips into narrative story video with this skill. Works with MP4, MOV, JPG, PNG files up to 500MB. social media creators use it for turning photos and clips into a cohesive story vide

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal