ClawHub

Ai Video Generator Free Lifetime

Security checks across malware telemetry and agentic risk

Overview

This skill appears to provide a cloud video-generation workflow, but it can route broad prompts and user media to an external backend with too little explicit user control or disclosure.

Install only if you are comfortable with prompts, images, and video content being processed by NemoVideo's cloud service. Avoid submitting private, confidential, or sensitive media unless the publisher adds clear consent, data-handling, and retention disclosures.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The getting-started prompt invites users to 'share your text or images' without requiring a distinctive invocation, making accidental activation more likely during ordinary conversation. Because this skill uploads user content to a third-party cloud backend and can create remote sessions automatically, an overly broad trigger increases the chance of unintended data transfer and external API use.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Example phrases like 'generate my text or images' and 'export 1080p MP4' are generic and could match many unrelated user intents, causing the agent to route requests into this skill unexpectedly. In this skill's context, misrouting is more dangerous because it can lead to automatic token acquisition, session creation, and third-party processing of user-provided media.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing rule sends 'Everything else' to the SSE action, effectively making nearly any unmatched prompt eligible for backend submission. Since the SSE endpoint forwards free-form user text to an external service and may trigger edits or processing, this catch-all behavior materially raises the risk of accidental disclosure of sensitive data and unintended external actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill clearly depends on a cloud backend and encourages users to drop text and images into chat, but it does not provide a prominent user warning that those materials will be uploaded to a third-party service for processing. In a media workflow, users may submit proprietary product photos, marketing drafts, or personal images, so the lack of disclosure meaningfully increases privacy and data-handling risk.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill instructs the agent to automatically obtain an anonymous token when none is present, but it does not require notifying the user that an external authentication flow is occurring. This is risky because it silently establishes an account-like credential and backend session, which may surprise users and normalize remote service use without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal