ClawHub

Video Generation Automatic

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-generation connector, but users should understand that prompts and uploaded media go to NemoVideo servers.

Install only if you are comfortable sending text prompts, uploaded files, session metadata, and render jobs to mega-api-prod.nemovideo.ai. Avoid confidential, regulated, or private media unless you have reviewed and trust the provider's privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The routing table sends all unmatched prompts to the SSE generation action, which can cause the skill to forward arbitrary user text to a remote backend without sufficient intent confirmation. In this skill, that broad default is risky because the service performs remote processing and may interpret general conversation or unintended pasted content as actionable generation requests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to automatically obtain a token and establish a remote session on first use, while explicitly keeping setup communication brief. This creates undisclosed network activity and account/session creation on behalf of the user, which undermines informed consent and can expose metadata such as client identifiers, language, and subsequent content to a third-party service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill repeatedly encourages users to send text or images for server-side processing but does not provide a meaningful privacy or data-handling warning. Because uploaded media and prompts may contain sensitive personal, business, or copyrighted material, omission of such notice increases the risk of unintentional data disclosure to the remote provider.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal