ClawHub

Ai Video Generation

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward AI video-generation skill, with the main cautions being the remote CLI installer and external processing of prompts and media URLs.

Install only if you trust inference.sh and its CLI installer. Prefer the manual checksum-verification path when possible, log in with the intended account, and do not submit confidential prompts, private images, internal URLs, audio, or video unless you are comfortable with inference.sh and its model providers processing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list contains very broad phrases like 'generate video', 'ai video', and 'create video with ai', which can match ordinary user requests and cause the skill to activate unintentionally. Over-broad activation can route prompts, media, or follow-on actions to an external service when the user did not explicitly choose this provider or capability.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill encourages sending prompts, image URLs, audio URLs, and video URLs to inference.sh-backed external apps, but it does not clearly warn users that this data leaves the local environment and is processed by third-party services. This creates privacy and data-handling risk, especially for sensitive media, internal URLs, or confidential prompts.

External Script Fetching

High
Category
Supply Chain
Content
```bash
# Install CLI
curl -fsSL https://cli.inference.sh | sh && infsh login

# Generate a video with Veo
infsh app run google/veo-3-1-fast --input '{"prompt": "drone shot flying over a forest"}'
Confidence
98% confidence
Finding
curl -fsSL https://cli.inference.sh | sh

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal