ClawHub

Ai Animated Video Maker

Security checks across malware telemetry and agentic risk

Overview

This is a cloud AI video-making skill that sends user prompts and media to its video service, which matches its stated purpose.

Install only if you are comfortable sending prompts, images, audio, and videos to nemovideo.ai for processing. Avoid confidential or regulated media, use a dedicated NEMO_TOKEN where possible, and be aware the activation examples are broad enough that you may want to invoke the skill explicitly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The suggested trigger phrases are extremely broad and include fragments like "create my text or images" and "turn my product description into a", which could be matched during ordinary conversation and cause unintended activation. Because this skill can upload user-provided files and send prompts to a remote backend, accidental invocation can expose content to third-party processing without a clear, deliberate user action.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing rule that sends "Everything else" to the main SSE action creates an effectively catch-all activation path. In practice, this means many unrelated or ambiguous user messages could be forwarded to the cloud editing backend, increasing the risk of unintended data transmission, unexpected API actions, and user confusion about when the skill is active.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that it handles cloud GPU processing, but it does not clearly warn users that their prompts, uploaded media, and session data are transmitted to an external backend service. This lack of transparent disclosure is risky because users may share sensitive business assets or personal media without understanding that third-party cloud processing is involved.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal