ClawHub

Ai Video Generator Free Capcut

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-generation skill that sends prompts and uploaded media to NemoVideo as expected, with no installer or hidden executable behavior found.

Install only if you are comfortable sending video prompts, uploaded images/audio/video, and generated project data to NemoVideo for cloud processing. Avoid confidential or sensitive media unless you trust that service, and use a dedicated NEMO_TOKEN if you provide one.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The suggested invocation phrases are broad enough that ordinary user language could unintentionally activate this skill or steer the agent into using it when the user did not clearly consent. In this skill's context, unintended activation is more concerning because it leads to network calls, token acquisition, and possible upload of user media to a third-party backend.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The catch-all rule routes 'Everything else' to the SSE action, making ambiguous or unrelated prompts eligible for backend submission. Because SSE appears to send free-form user messages to a remote editing service, this can cause unintended disclosure of user content and unnecessary external actions without clear authorization.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to establish a backend connection, acquire or use tokens, and create remote sessions, but the user-facing description does not clearly warn that prompts and uploaded media are transmitted to an external service. In a media-processing skill handling potentially sensitive images and videos, lack of transparent disclosure meaningfully increases privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal