ClawHub

Ai Video Generator Free Online

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill appears purpose-aligned, but it may send prompts or media to NemoVideo's cloud service too broadly and without clear user confirmation.

Review before installing. Use it only for non-sensitive media you are comfortable sending to NemoVideo's cloud service, prefer a dedicated NEMO_TOKEN, and require explicit confirmation before uploads, URL processing, or free-form generation requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation examples are broad enough that ordinary phrases like sharing text, images, or asking to 'get started' could activate this skill unexpectedly. In context, the skill immediately connects to a remote backend and may upload user content, so overbroad triggering increases the risk of unintended data transfer to a third-party service.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The catch-all routing rule sends 'Everything else' to the SSE action, which is overly permissive and can cause unrelated user requests to be forwarded to the cloud service. Because the SSE endpoint transmits user messages off-platform, this ambiguous routing expands the chance of accidental exfiltration of prompts or sensitive context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to establish a backend connection and process user text or uploaded images through a cloud rendering pipeline, but it does not clearly warn users that their prompts and media are sent to an external service. This undermines informed consent and can expose sensitive images, videos, or business content to a third party without adequate notice.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal