ClawHub

Video Generator Free Gemini

Security checks across malware telemetry and agentic risk

Overview

The skill appears to match its video-generation purpose, but it can automatically connect to NemoVideo and broadly send prompts or uploaded media to the remote service without a clear confirmation boundary.

Install only if you are comfortable with prompts, uploaded images/video/audio, and related metadata being sent to NemoVideo for cloud processing. For safer use, require the agent to ask before setup, upload, generation/editing, export, or any action that may consume credits; avoid sending private or sensitive media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation examples are broad, generic phrasings that can overlap with ordinary user requests about video creation. This increases the chance the skill activates unintentionally and starts network setup or token acquisition before the user clearly intended to use this specific third-party service.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing rule sends 'Everything else' to the SSE action, creating ambiguous activation boundaries and making almost any unmatched user text a candidate for transmission to the backend. In this skill, that is especially risky because SSE messages are sent to a remote API and may include user prompts or editing instructions without a sufficiently explicit opt-in.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically connect to a third-party processing API, obtain or use a token, and later upload prompts or media, but it does not clearly warn users up front that their text and files will be transmitted off-platform. Because this skill handles potentially sensitive uploaded media and generated content, the lack of prominent disclosure meaningfully raises privacy and consent risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal