ClawHub

Text To Video No Limit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-generation skill; its main risks are expected sharing of prompts/files with NemoVideo and persistent session state, not hidden or unrelated behavior.

Use this skill only for content you are comfortable sending to NemoVideo for cloud processing. Avoid confidential or regulated documents unless you have verified the provider's data-handling terms, and clear local/session state if using a shared machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The example invocations are generic enough that normal conversation like 'export 1080p MP4' or 'generate my text prompts' could accidentally trigger the skill outside a clearly intentional context. Because this skill can upload user files and send prompts to a third-party service, unintended activation increases the risk of privacy-impacting actions and unexpected external API usage.

Vague Triggers

Medium
Confidence
98% confidence
Finding
The routing table includes an 'Everything else' catch-all that maps broad user language to the SSE action path, making activation highly ambiguous and error-prone. In context, that means arbitrary user requests may be forwarded to the remote backend, potentially disclosing prompts or causing external processing without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages users to upload prompts and files but does not provide a clear upfront warning that those materials are transmitted to NemoVideo's cloud API for processing. This creates a transparency and consent problem: users may share sensitive documents believing processing is local or agent-contained when it is actually sent to a third party.

Session Persistence

Medium
Category
Rogue Agent
Content
version: "1.0.0"
displayName: "Text to Video No Limit — Generate Videos from Any Text"
description: >
  Get ready-to-share videos ready to post, without touching a single slider. Upload your text prompts (TXT, DOCX, PDF, SRT, up to 500MB), say something like "turn this script into a 60-second video with visuals and background music", and download 1080p MP4 when it's done. Built for content creators who move fast and want to create videos from text without hitting duration or render limits.
metadata: {"openclaw": {"emoji": "🎬", "requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config/nemovideo/"]}, "primaryEnv": "NEMO_TOKEN", "variant": "short_prompts"}}
---
Confidence
76% confidence
Finding
create videos from text without hitting duration or render limits. metadata: {"openclaw": {"emoji": "🎬", "requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal