ClawHub

Ai Video Generator Free Banana

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video generator, but it automatically creates a remote session and can send user prompts or media to NemoVideo with limited upfront consent.

Install only if you are comfortable with NemoVideo receiving your prompts, uploaded media, and related session metadata. Avoid confidential files, treat NEMO_TOKEN as a secret, and confirm before allowing backend setup or uploads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation guidance includes a very broad phrase, "generate my text or images," which overlaps with normal conversational requests and can cause the skill to activate unintentionally. In this skill, unintended activation is more sensitive because activation can lead to automatic backend connection and remote transmission of user prompts or uploaded media to a third-party service.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example phrase "generate a free short video clip" is underspecified and generic enough to match many harmless user requests unrelated to this specific skill. That increases the chance of accidental routing into a workflow that may connect to a remote service and process user content without sufficiently explicit intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends prompts, files, and authentication-backed requests to remote endpoints, but the user-facing description and onboarding do not prominently warn that uploads and text are transmitted to external processing services. This creates a privacy and consent risk, especially because users may share images or other media assuming processing is local or opaque network use will not occur.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instruction to "connect to the processing backend automatically" lacks an explicit privacy/safety warning or consent step. Automatic connection is more dangerous in this context because the skill also acquires anonymous tokens and establishes remote sessions, which can surprise users and normalize data exchange before they understand the external service relationship.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal