ClawHub

Free Text To Video Long

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud video-generation skill, but it can auto-create a remote NemoVideo session and forward overly broad prompts or files without a clear consent step.

Install only if you are comfortable sending prompts, uploaded files, and editing instructions to NemoVideo's cloud API. Avoid confidential or proprietary content unless you trust that provider, and prefer a version that asks before connecting or forwarding ambiguous messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description and example invocations are phrased so broadly that ordinary requests about generating videos from text could trigger the skill unintentionally. Over-broad activation increases the chance that users send sensitive content to a remote third-party backend without realizing this specific skill has taken control, especially because the skill also performs automatic connection and session setup.

Vague Triggers

High
Confidence
95% confidence
Finding
The catch-all rule routing 'Everything else' to the SSE backend gives the skill an effectively unlimited trigger surface. This makes accidental activation and unintended transmission of arbitrary user text highly likely, and it could cause unrelated conversation content to be forwarded to an external API for processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs automatic backend connection, anonymous token acquisition, and session creation on first open without clearly informing the user that data will be transmitted to a remote service. This undermines informed consent and can expose user prompts, uploaded files, metadata, and usage patterns to a third party before the user explicitly agrees.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal