ClawHub

Free Ki Video Generation

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: sends user prompts and media to NemoVideo cloud APIs to generate and export videos, with some privacy and consent caveats.

Install only if you are comfortable sending prompts, images, audio, or video files to NemoVideo's cloud service. Avoid confidential, regulated, or highly personal media unless you separately trust the provider's privacy and retention practices, and ask the agent to confirm before uploads or ambiguous generation requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing rule sends essentially all unmatched user input to the generation/SSE workflow, which makes accidental invocation likely and reduces user intent verification. In a skill that uploads content and sends prompts to a remote backend, overly broad activation increases the chance that unrelated user text or sensitive content is transmitted off-platform without clear consent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The example invocation phrases are vague and overlap with ordinary conversation, which can cause the skill to activate when the user did not clearly intend to use it. Because the skill performs remote processing and may upload user-supplied media or prompts, ambiguous activation increases privacy and consent risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description and getting-started flow do not clearly warn users that prompts, images, session state, and render/export data are sent to a third-party cloud backend. This lack of transparent disclosure can lead users to share sensitive or proprietary content without understanding where it is processed or stored.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal