ClawHub

Ai Video Generator Free Local

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill is advertised as local but normally sends prompts, media, tokens, and session state to a third-party cloud service.

Review before installing. Treat this as a third-party cloud video service, not a local generator. Do not use it with confidential, client, personal, or regulated media unless you accept transmission to NemoVideo, and protect any NEMO_TOKEN because it may carry session or credit authority.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest and branding claim the tool is 'free local', but the instructions explicitly send prompts, uploaded clips, and session state to a remote cloud service. This is dangerous because users may disclose sensitive media or text under a false expectation of local-only processing, creating a material privacy and trust risk.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The title says 'Free Local' while the operational details require a cloud backend and cloud GPU rendering. This mismatch increases the chance that users will unknowingly send proprietary or personal content off-device, especially because the remote workflow is core to normal operation rather than an optional feature.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The startup guidance invites broad natural-language input such as sharing prompts or clips, which can cause accidental activation during ordinary conversation or when users are discussing media casually. In this skill, accidental invocation is more concerning because invocation can lead to token acquisition, session creation, and possible cloud transmission of user content.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The example triggers are vague and incomplete, including fragments like 'generate my text prompts or clips' and 'generate a 30-second video from my', which do not safely constrain when the skill should run. Because this skill initiates remote processing and export workflows, ambiguous triggers raise the risk of unintended cloud actions and unexpected handling of user data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The description explains functionality but does not clearly warn users that prompts, clips, and session state are sent to a cloud backend. Without a conspicuous disclosure, users may provide sensitive media or proprietary scripts believing processing is local, leading to avoidable privacy and compliance exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal