ClawHub

Text To Video Gratis

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud text-to-video skill, but users should know their prompts and uploaded files are sent to nemovideo.ai for processing.

Install only if you are comfortable sending prompts, uploaded TXT/DOCX/PDF content, and generated project state to nemovideo.ai. Avoid using it with private, regulated, or confidential documents unless you trust that provider's data handling, and invoke the skill explicitly when you want video generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation examples are very broad and include short generic phrases like "convert my text prompt" and an incomplete example ("turn this blog intro into a"), which can cause the platform to route unrelated user requests into this skill unintentionally. In a skill that uploads content and sends requests to a remote backend, accidental activation increases the chance of unintended data disclosure or unexpected external API usage.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing table contains a catch-all rule that sends "Everything else" to the SSE generation path, which is an ambiguous trigger scope. This means many ordinary requests could be forwarded to the remote service without a clear user instruction to use this particular skill, increasing the risk of unintended prompt/file transmission and unexpected billable or state-changing actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description encourages users to upload text and files but does not clearly warn that prompts and uploaded content are sent to a third-party remote backend. Because users may provide sensitive documents up to 500MB, the lack of a clear disclosure undermines informed consent and can lead to accidental exposure of confidential data.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
The session creation flow hard-codes `"language":"en"` without user choice or explanation. While not a direct exploit primitive, it can cause user content to be processed under the wrong language setting, increasing the chance of mistranslation, malformed prompts, or incorrect handling of non-English content sent to the external backend.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal