ClawHub

Ai Music Video Generator Free

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill connects to Nemo Video’s cloud service to turn uploaded media into videos, and its remote processing and token use are broadly disclosed and purpose-aligned.

Before installing, be aware that prompts, uploaded media, render state, and account token-authenticated requests go to Nemo Video’s cloud API. Avoid uploading private, confidential, or rights-sensitive media unless you are comfortable with that service processing it, and expect NEMO_TOKEN use to act on the associated account or credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing table uses broad trigger phrases like "upload," "status," "export," and sends "everything else" to the SSE edit path, which can cause the skill to activate on generic media-editing requests beyond the user's clear intent to use this specific third-party service. In this context, that overbroad matching is risky because activation causes remote API interaction, session creation, and possible media transmission to an external backend.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to connect to a remote backend and create sessions before handling requests, but it does not provide a prominent user-facing disclosure that prompts and uploaded media will be transmitted off-platform. This creates a privacy and consent issue, especially because users may share copyrighted, personal, or otherwise sensitive audio under the assumption processing is local or first-party.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill reads `NEMO_TOKEN` directly from the environment and uses it for authenticated API calls without any user-facing disclosure or consent. Accessing ambient credentials is sensitive because it can silently consume a user's paid quota, act on their account, and expose the existence of privileged tokens to an untrusted third-party workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal