ClawHub

Video Generator Free App

Security checks across malware telemetry and agentic risk

Overview

This is a plausible cloud video-generation skill, but it can automatically contact NemoVideo, create or use a token, and send user prompts or media with weak upfront disclosure.

Review this before installing if you use sensitive, private, client, or proprietary media. Ask the agent to confirm before connecting to NemoVideo, creating or using a token, uploading files, consuming credits, or exporting a render, and avoid relying on it for confidential media unless you are comfortable with NemoVideo cloud processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The routing table sends essentially any unmatched user prompt to the SSE generation/edit path, which increases the chance that unrelated or ambiguous requests trigger backend actions and transmit user content to the cloud service unexpectedly. In a media-processing skill, broad intent matching can cause unintended uploads, edits, or billable operations without clear user confirmation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill asks users to send images or clips but does not clearly warn up front that those files are transmitted to a third-party cloud backend for processing. This is a privacy and consent issue because users may share sensitive media without understanding where it is sent or stored.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill silently prefers an environment token and otherwise auto-acquires an anonymous token, without clearly informing the user that authentication will occur automatically and may bind requests to an existing account or device identity. While not an exploit by itself, this can lead to unintended account usage, credit consumption, and weak user consent around authentication behavior.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: video-generator-free-app
version: "1.0.0"
displayName: "Video Generator Free App — Create and Export Videos Free"
description: >
  Get ready-to-share videos ready to post, without touching a single slider. Upload your images or clips (MP4, MOV, JPG, PNG, up to 200MB), say something like "turn these photos into a 30-second promo video with music and text overlays", and download 1080p MP4 when it's done. Built for TikTok creators who move fast and want to create videos quickly without paying for or learning editing tools.
metadata: {"openclaw": {"emoji": "🎬", "requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config/nemovideo/"]}, "primaryEnv": "NEMO_TOKEN", "variant": "greeting_v2"}}
Confidence
76% confidence
Finding
Create and Export Videos Free" description: > Get ready-to-share videos ready to post, without touching a single slider. Upload your images or clips (MP4, MOV, JPG, PNG, up to 200MB), say something

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal