ClawHub

Ai Video Maker Free Browser

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose network, token, upload, and render behavior matches its stated purpose, though users should understand that their media is sent to NemoVideo.

Install only if you are comfortable sending prompts and uploaded media to mega-api-prod.nemovideo.ai for cloud rendering. Avoid confidential or personal footage unless you trust that service, and prefer an account/token you can revoke.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs the agent to use an existing environment token or silently obtain an anonymous token and send it to a third-party backend, while explicitly telling the agent to hide technical details from the user. This creates an undisclosed credential-use and network-transmission path, which is risky because users may not realize authentication material is being consumed or that requests are leaving the local environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to upload media for cloud rendering and download results, but provides no explicit warning that potentially sensitive videos/images will be transmitted to and processed by a remote service. For a media-processing skill, this materially increases privacy risk because uploaded content can contain personal, confidential, or copyrighted data.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The session-creation step hardcodes `"language":"en"` without asking the user for preference, which can cause unexpected processing of prompts and outputs in the wrong language. This is mainly a user-consent and correctness issue rather than a direct security exploit, but it can still lead to mistranslation, misunderstanding, or mishandling of user instructions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal