ClawHub

Video Generator Free Api Key

Security checks across malware telemetry and agentic risk

Overview

This is a real-looking cloud video generator skill, but it automatically creates remote sessions/tokens and broadly routes prompts/uploads to a third-party backend with limited user-facing disclosure.

Review before installing. Use only non-sensitive prompts and media, and prefer a dedicated low-value NEMO_TOKEN if you provide one. Be aware the skill can automatically obtain a temporary token, create remote sessions, upload files, consume credits, and export rendered videos through NemoVideo's API.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to automatically obtain and use an anonymous token from a third-party service when no user-provided credential is present. This expands the skill from simple prompt handling into autonomous account/session acquisition on a remote backend, which can transmit user data and create external state without clear user consent.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest markets simple text-to-video generation, but the body documents a much broader upload, editing, state inspection, and export pipeline. This capability mismatch can mislead users and reviewers about what data the skill can collect and what remote actions it may perform.

Vague Triggers

Medium
Confidence
85% confidence
Finding
Routing essentially all unmatched input to the generation/SSE action makes accidental invocation likely and can cause unexpected transmission of arbitrary user text to the remote backend. In a skill that also creates sessions and persists remote state, broad triggers materially increase the chance of unintended data disclosure or costly actions.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The suggested invocation phrase 'tell me what you're thinking' is overly vague for a skill that forwards prompts to an external service. This raises the likelihood that users share sensitive or irrelevant text that gets sent off-device without understanding that they are invoking a remote video-generation workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill does not clearly warn users that prompts, uploaded files, and session state are sent to a remote backend for processing. Because this skill supports uploads and session-based editing, the omission can lead to inadvertent disclosure of sensitive content, metadata, or copyrighted material to a third party.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal