ClawHub

Ai Animation Generator Free

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real cloud animation skill, but it is too broad about what user messages and media may be sent to the third-party backend.

Install only if you are comfortable sending animation prompts, media files, and related session data to the NemoVideo backend. Avoid private, confidential, regulated, or proprietary content unless the publisher documents privacy, retention, and deletion practices and the skill asks before uploads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation examples are broad enough that ordinary user phrases could unintentionally trigger the skill and start external API interactions or upload workflows without clear confirmation. In a skill that sends prompts and media to a third-party backend, over-broad activation increases the risk of accidental data disclosure and unintended actions.

Vague Triggers

High
Confidence
96% confidence
Finding
Routing 'Everything else' to the generation path creates an ambiguous catch-all that can cause almost any unmatched prompt to be sent to the backend SSE endpoint. This is dangerous because unrelated or sensitive user input may be interpreted as animation instructions and transmitted externally without sufficiently specific intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages users to share text prompts or images but does not clearly disclose that this content will be transmitted to an external service. Users may provide sensitive personal, proprietary, or copyrighted material without informed consent, creating a privacy and compliance risk.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
Forcing session creation with `language":"en"` without user choice can cause unintended translation, misinterpretation of prompts, or processing in a language the user did not select. While not a classic security flaw, it can degrade accuracy and cause privacy issues if multilingual content is transformed unexpectedly before external processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal