ClawHub

Professional Ai Video Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-generation connector, so its token, upload, and rendering behavior fits its stated purpose, though users should treat it as a third-party cloud service.

Install this only if you are comfortable sending scripts, prompts, uploaded media, and video draft data to Nemovideo's cloud backend. Avoid confidential or regulated content unless that provider is approved for your use case, protect any NEMO_TOKEN, and confirm uploads or exports before using credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to bootstrap anonymous authentication, generate a client identifier, obtain tokens, and manage session creation. That behavior expands the skill from simple video generation into credential acquisition and account/session handling, which increases the attack surface and can enable unreviewed outbound connections and token use without explicit user awareness.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The skill derives `X-Skill-Platform` from the local installation path and transmits platform/source/version attribution headers on every request. While not directly enabling code execution, this collects and exfiltrates host-environment metadata unrelated to core video rendering, creating unnecessary fingerprinting and privacy exposure.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The description and invocation wording are broad enough that common phrases about generating videos from text or prompts could activate the skill outside clearly scoped user intent. Over-broad triggering is dangerous here because activation causes cloud interaction, session creation, and possible content upload to a third-party backend.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The getting-started examples are generic content-generation requests rather than clearly namespaced skill invocations. This increases the chance of accidental routing, which is more serious in this context because the skill can initiate remote processing and transmit user-provided scripts or files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill says it connects to a cloud processing backend and auto-connects on first use, but it does not provide a clear up-front warning that user scripts, prompts, and uploaded files may be sent to a third-party service. Because this skill processes potentially sensitive marketing materials or media, lack of informed consent materially increases privacy and data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal