ClawHub

Video Generation Online

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-generation skill that sends prompts and uploaded media to NemoVideo for rendering, with no executable installer or hidden local behavior found.

Install only if you are comfortable sending prompts, scripts, images, audio, videos, URLs, and generated media to NemoVideo's cloud backend. Keep NEMO_TOKEN private, avoid confidential or regulated media unless you have verified the provider's privacy and retention terms, and confirm ambiguous generation or edit requests before uploading files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The routing table sends every unmatched request to the SSE action, which effectively gives broad backend execution reach for arbitrary user input. In a skill that can upload media, manipulate sessions, and trigger cloud-side operations, this increases the chance of unintended actions, overbroad data handling, or abuse through prompt shaping that should have been rejected or explicitly classified first.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to upload prompts, images, and videos to a cloud backend but does not clearly warn that user content will leave the local environment and be processed by a third-party service. This creates a real privacy and data-governance risk, especially if users provide sensitive media, proprietary scripts, or personal information without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal