ClawHub

Simple Video Generator Cartoon

Security checks across malware telemetry and agentic risk

Overview

This is a cloud cartoon-video generation skill whose remote upload and token behavior matches its stated purpose, with some broad invocation wording users should notice.

Install only if you are comfortable sending prompts and uploaded images, audio, or video to NemoVideo's cloud service for rendering. Avoid private or sensitive media unless you have reviewed the provider's privacy and retention terms, and invoke the skill explicitly so ordinary requests are not accidentally treated as video-generation tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The starter phrases are extremely generic (for example, 'generate my text or images' and 'export 1080p MP4') and can easily match ordinary conversation outside a clearly scoped video-generation request. That increases the chance of accidental invocation and unintended transmission of user prompts or files to the remote NemoVideo service, especially because the skill auto-connects on first interaction.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table includes a broad catch-all rule that sends 'Everything else' to the SSE generation path, which effectively treats most unmatched user input as an instruction to interact with the backend. In this skill, that is especially risky because the backend can trigger uploads, edits, and session operations, so ambiguous user text could cause unintended cloud actions or disclosure of user content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Although later sections mention remote GPU processing, the skill description and initial user-facing setup do not clearly warn that prompts, files, and derived timeline state are sent to external cloud services. Users may reasonably believe processing is local or not realize their uploaded media and text are transmitted off-device, undermining informed consent and increasing privacy risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal