ClawHub

Easy Ai Video Generator

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill is purpose-aligned, but it uses broad triggers and automatic cloud setup for a workflow that can send prompts and media to a third-party backend.

Review before installing. Use it only if you are comfortable sending prompts, images, audio, and video files to NemoVideo cloud services. Avoid confidential or personal media, and require explicit confirmation before token setup, uploads, generation, edits, or exports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The getting-started prompt is broad enough that ordinary user text or image-sharing language could invoke the skill without clear user intent. In this skill, unintended invocation is more sensitive because it can initiate cloud setup and send user prompts or uploaded media to a third-party backend, creating privacy and consent risks.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Example trigger phrases like 'generate my text or images' and 'create a 30-second product video from' are vague and overlap with normal conversational requests. Because the skill automatically routes broad generation/edit requests and performs remote processing, this increases the chance of accidental activation and unintended disclosure of user content to the service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The user-facing description emphasizes convenience but does not clearly warn that prompts, media, and related session data are transmitted to a cloud backend for processing. In a media-generation skill that handles user uploads and text content, lack of upfront disclosure undermines informed consent and can expose sensitive business or personal material to a third-party service unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal