ClawHub

Hd Free Video Generation

Security checks across malware telemetry and agentic risk

Overview

This instruction-only video-generation skill is coherent with its cloud API purpose, but users should understand that prompts, uploaded media, and token-backed actions go to a third-party service.

Install only if you are comfortable sending prompts, media files, and render metadata to mega-api-prod.nemovideo.ai. Do not provide a personal NEMO_TOKEN unless you trust the service with your account credits; the anonymous-token path is lower commitment but still contacts the service and creates a remote session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest presents the skill as simple text-to-video generation, but the body documents materially broader capabilities including upload, timeline editing, state inspection, credits lookup, and export management. This mismatch can mislead users and host platforms about the actual permission and data-handling scope, reducing informed consent and security review effectiveness.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically obtain anonymous tokens and create remote sessions before doing anything else, despite the public description not clearly disclosing account bootstrap or credential handling. Automatic credential acquisition and session creation increase the risk of undisclosed network activity, third-party access, and misuse of remote resources without meaningful user awareness.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation broadens the skill from prompt-based video generation into a general cloud editor with upload, state queries, credits inspection, and render-job management. That hidden expansion of functionality creates a scope gap between user expectations and actual behavior, which can expose user media and account metadata to operations they did not knowingly authorize.

Vague Triggers

Medium
Confidence
90% confidence
Finding
A broad catch-all route sends nearly any unmatched input to the SSE generation/edit path, making it easy for unrelated or ambiguous user requests to trigger remote editing actions. In a skill that performs authenticated network operations against a cloud editor, permissive routing increases the chance of unintended data transmission or state-changing actions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill directs automatic token acquisition and remote API/session setup on first interaction without first warning the user that their prompts and possibly media will be transmitted to a third-party service. This undermines informed consent and is especially risky in a media-processing skill where uploaded content, prompts, and metadata may be sensitive or proprietary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal