ClawHub

Free Text To Video Llm

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud text-to-video helper whose uploads, token use, and remote rendering match its stated purpose, though users should be careful about what they send to the service.

Install only if you are comfortable sending prompts, uploaded files, and project state to NemoVideo's cloud service. Avoid uploading private, regulated, or confidential documents; keep NEMO_TOKEN private; and confirm before uploads, exports, or other credit-consuming actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill invites activation from very generic phrases like 'Share your text prompts' and example utterances such as 'generate my text prompts', which can overlap with ordinary conversation. This raises the risk of accidental invocation and unintended transmission of user prompts or files to the remote video service without sufficiently clear user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table sends 'Everything else' to the SSE action, including generate/edit requests, without clear negative constraints or tighter intent checks. A broad catch-all like this can misroute unrelated user text into backend actions, causing unintended cloud requests, edits, or processing of sensitive content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Although the skill mentions a cloud backend and server-side rendering, it does not present a prominent, explicit warning that uploaded files and text prompts are transmitted to a third-party remote service for processing. Users may reasonably miss this and disclose sensitive documents or prompts without informed consent, especially given support for large file uploads.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal