ClawHub

Interactive Video Maker Free

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose network use, token use, uploads, and sessions are disclosed and aligned with its purpose, though users should treat uploaded media and URLs as shared with a third-party service.

Install only if you are comfortable sending video files, prompts, and any supplied media URLs to NemoVideo's cloud backend. Avoid confidential footage, private/internal URLs, or regulated data unless you have reviewed that service's data-handling terms and can reset or rotate the token if needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The skill is presented as accepting user-uploaded video files, but it also documents fetching remote URLs as upload sources. Allowing backend retrieval of arbitrary URLs expands the trust boundary and can enable server-side request forgery, unintended access to internal resources, or ingestion of attacker-controlled content without clear user awareness.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The catch-all routing rule sends nearly any editing-related request to the backend SSE action, which can cause the skill to activate outside a narrowly defined scope. Overbroad triggering increases the chance of unintended data disclosure to the cloud service, surprising user actions, and misuse on prompts that were not clearly meant for this skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The public-facing description emphasizes easy interactive-video creation but does not clearly warn that uploaded media is transmitted to a cloud processing backend. This undermines informed consent and can expose sensitive video content, embedded metadata, or proprietary footage to third-party processing without adequate notice.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: interactive-video-maker-free
version: "1.0.0"
displayName: "Interactive Video Maker Free — Create and Export Interactive Videos"
description: >
  Skip the learning curve of professional editing software. Describe what you want — add clickable buttons and branching choices to my tutorial video — and get interactive video files back in 1-2 minutes. Upload MP4, MOV, AVI, WebM files up to 500MB, and the AI handles interactive element addition automatically. Ideal for educators and marketers who want to make videos interactive without expensive software.
metadata: {"openclaw": {"emoji": "🎬", "requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config/nemovideo/"]}, "primaryEnv": "NEMO_TOKEN", "variant": "greeting_v2"}}
Confidence
79% confidence
Finding
Create and Export Interactive Videos" description: > Skip the learning curve of professional editing software. Describe what you want — add clickable buttons and branching choices to my tutorial vid

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal