ClawHub

Free Ai Video Generator With No Restrictions

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud video-generation skill, but it should be reviewed because it can automatically connect to NemoVideo and send broad user prompts or media to a third-party backend.

Install only if you are comfortable with NemoVideo receiving your prompts and uploaded media for cloud processing. Avoid confidential, private, regulated, or rights-sensitive content unless you have reviewed NemoVideo’s terms, retention, pricing, credit, and export rules. Treat the “free/no restrictions/no usage limits” wording cautiously because the skill itself describes credits, expiry, and possible paid-plan export limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The routing table sends all unmatched user input to the SSE generation/edit pathway, creating a broad activation surface for a third-party video service. In a conversational environment, ordinary requests may be misclassified as commands, causing unintended prompt/file transmission to the external backend and accidental consumption of anonymous credits or user data exposure.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation language is broad and overlaps with natural conversation, making accidental triggering more likely in normal chat. Because this skill automatically connects to an external API and may upload user prompts or clips, ambiguous activation increases the chance of unintended third-party disclosure and unauthorized task initiation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill repeatedly states that uploads and processing occur on NemoVideo's backend, but it does not present a clear user-facing warning at the point of use that prompts, scripts, clips, and other files are transmitted to a third-party cloud service. This is dangerous because users may share sensitive media or confidential text under the assumption of local handling, leading to privacy, compliance, or data-governance violations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal