ClawHub

Ai Video Generator Free Minecraft

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud Minecraft-style video generator, and its token use, uploads, and render API calls match that purpose.

Install only if you are comfortable sending your prompts, uploaded media, and render/session data to nemovideo.ai and using a NEMO_TOKEN or anonymous token. Avoid uploading private, confidential, or regulated media unless you trust that provider's handling and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The manifest says the skill supports only MP4, MOV, WebM, and GIF up to 500MB, while the detailed documentation allows many additional video, image, and audio formats. This inconsistency can cause users and reviewers to underestimate what data types may be uploaded to the remote service, weakening informed consent and policy review.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
The manifest says the skill supports only MP4, MOV, WebM, and GIF up to 500MB, while the detailed documentation allows many additional video, image, and audio formats. This inconsistency can cause users and reviewers to underestimate what data types may be uploaded to the remote service, weakening informed consent and policy review.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
The skill instructs runtime inspection of local install paths and config locations to derive attribution headers and environment/config details unrelated to core video generation. Even if limited, unnecessary local path probing expands the skill's access to host metadata and can reveal environment characteristics without a clear user need.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Routing 'everything else' to this skill creates an overbroad trigger that can capture unrelated user requests and send them into the skill's cloud-backed workflow. In context, that is dangerous because arbitrary prompts or files may be forwarded to the remote backend even when the user did not clearly intend to invoke this specific third-party service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup text emphasizes convenience and automatic connection but does not clearly warn users that prompts, uploaded files, and session data are transmitted to a cloud backend. Because the skill handles media uploads and persistent session state, the lack of explicit disclosure undermines informed consent and increases privacy risk.

VirusTotal

No VirusTotal findings

View on VirusTotal