ClawHub

Video Generator Free No Login

Security checks across malware telemetry and agentic risk

Overview

This skill is a real cloud video generator, but it can automatically create or use service tokens and broadly send user prompts or files to a remote backend without clear user confirmation.

Install only if you are comfortable sending prompts, images, audio, and video files to mega-api-prod.nemovideo.ai. Before using it, ask the agent to confirm before creating a token, using NEMO_TOKEN, uploading files, or starting remote generation, and avoid confidential media unless you trust the service and its retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to obtain and use authentication tokens, including anonymously minting a starter token, before serving user requests. That behavior expands the skill from simple local video generation into remote account/session provisioning and credential handling, which increases risk of unauthorized API use, silent third-party data transfer, and abuse of free-tier resources without clear user consent.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The example invocation language is broad enough that the skill may trigger on generic requests about creating or describing videos, rather than an explicit request to use this specific remote service. Over-broad activation raises the chance that user content is routed to this cloud backend unexpectedly, causing unintended uploads or processing.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The catch-all rule routes nearly all unmatched requests to the SSE action, which effectively makes remote processing the default behavior. In a skill that uploads user text or media to a third-party cloud service, ambiguous fallback routing increases the likelihood of accidental data disclosure and unintended execution of remote actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes cloud rendering and backend sessions, but it does not present a prominent up-front warning that user prompts and uploaded files are transmitted to and processed by an external service. For a media tool handling potentially sensitive user files, lack of explicit disclosure undermines informed consent and can expose private content to third-party infrastructure unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal