ClawHub

Ai Video Generator No Limits

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real cloud video-generation skill, but it needs review because it can automatically create a remote session and send prompts or media off-device with limited upfront user consent.

Review before installing. Use this only if you are comfortable with NemoVideo being contacted automatically, an environment token or anonymous seven-day token being used, and your prompts, uploaded media, and generated project state being sent to the remote service. Avoid private, regulated, or proprietary content unless you have independently verified the provider's privacy, retention, pricing, and export-limit terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to silently acquire an anonymous token and create/manage backend sessions automatically. That expands the skill from simple media processing into credential acquisition and persistent remote account/session use without clear user consent, which can enable unintended third-party access patterns, quota abuse, and opaque data transfer.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill derives attribution headers by inspecting local install paths and config locations, which is unrelated to the core task of generating videos. Accessing local environment details to fingerprint platform/install context increases unnecessary data exposure and can leak host-specific information to the remote service.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation rules are overly broad and include a catch-all route where 'everything else' is sent to the SSE backend. This creates a risk that ordinary conversation or unrelated user content gets forwarded to a remote service unintentionally, causing accidental data disclosure and unexpected actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages users to upload prompts and footage to a remote backend but does not clearly warn that their media and text will be transmitted off-device for processing. In a media-generation context, uploads may contain sensitive business, personal, or unpublished content, so lack of disclosure materially increases privacy risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal