ClawHub

Video Generator Free Ai Tools

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud video generation skill that is broadly coherent with its stated purpose, but users should know prompts and uploaded media go to NemoVideo’s remote API.

Install only if you are comfortable sending prompts, uploaded images, audio, and video files to NemoVideo for cloud processing. Avoid confidential or proprietary media unless you trust that service’s retention and privacy practices, and prefer a limited-use or anonymous token over a valuable account credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill advertises simple prompt/image-based video generation, but the implementation exposes a substantially broader editing surface including timeline state inspection, text/audio manipulation, and iterative draft changes. This mismatch increases the chance of users or host agents invoking higher-privilege actions without clear user understanding or consent, creating an unnecessary capability expansion beyond the stated purpose.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The catch-all routing rule sends essentially any unmatched input to the SSE/edit pathway, which can cause overbroad activation and unintended backend actions. In a skill that accepts natural language and files, this raises the risk of accidental processing of unrelated user content and makes prompt-trigger boundaries too loose.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to upload files and initiates multiple cloud API requests without prominently warning that prompts, media, and metadata are transmitted to a third-party backend. This is a meaningful privacy and transparency issue, especially for user-supplied media that may contain sensitive or proprietary content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal