ClawHub

Free Video Generation Ai Online

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill is mostly aligned with its purpose, but it may automatically use credentials and send broad user prompts or files to a third-party service without clear confirmation.

Review before installing. Use it only with prompts and media you are comfortable sending to mega-api-prod.nemovideo.ai, and avoid providing a persistent NEMO_TOKEN unless you trust that service. The skill should ideally ask before creating sessions, using credentials, uploading files, or sending ambiguous requests to the backend.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example trigger phrases are broad and action-oriented enough that normal conversational requests about generating, exporting, or using images could invoke the skill unintentionally. In this skill, unintended invocation is more dangerous because activation leads directly into authentication and transmission of user prompts or files to a third-party cloud service.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table includes a catch-all rule that sends "Everything else" to the SSE action, which means a wide range of unrelated or ambiguous user inputs may be forwarded to the backend. Because SSE is the primary content-processing path, this can cause accidental disclosure of user text and unintended backend actions without sufficiently specific user consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs users to share text prompts or images and describes cloud processing, but it does not clearly warn that those prompts and uploaded files will be transmitted to an external API endpoint. In this context, users may provide sensitive media or proprietary text, so the lack of explicit disclosure creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The frontmatter declares use of an environment token and a local config path, but the skill never warns the user that it will access local credentials or configuration to authenticate against a third-party service. This is security-relevant because silent use of existing tokens can surprise users and expand the blast radius from simple prompt handling to account-linked actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal