ClawHub

Explicit Ai Video Generator Free

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud AI video-generation skill, but users should know prompts and selected media are sent to NemoVideo's backend.

Install only if you are comfortable sending prompts, selected files or media URLs, and generated project state to NemoVideo's cloud service. Treat NEMO_TOKEN as a credential, avoid private or sensitive media unless you trust the service, and use explicit video-generation or export instructions to reduce accidental requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation guidance is broad enough that ordinary conversation like 'tell me what you're thinking' or partial phrases could unintentionally activate the skill. This can cause users to send prompts or files to the remote video backend without a clear, deliberate action boundary, increasing the risk of unintended data disclosure and unexpected external API use.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The catch-all rule routing 'Everything else' to SSE makes the skill overly permissive and ambiguous. In practice, many unrelated user utterances could be forwarded to the backend, resulting in accidental transmission of sensitive text, unintended job creation, or confusing behavior that the user did not explicitly request.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The description says the skill connects to a cloud processing backend, but it does not clearly warn users that their prompts, uploads, and generated media are sent to a third-party remote service. This weakens informed consent and may expose sensitive or proprietary content to external processing without adequate notice.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The anonymous-token flow silently creates a remote identity/session by generating a client UUID and obtaining a token, but it does not instruct the agent to notify the user that a remote account-like session is being established. This can create hidden persistence and tracking concerns, especially when paired with session state retained by the backend.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal