ClawHub

Text To Video Converter Ai

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud text-to-video helper, but it needs review because it can send broad prompts, files, and session data to a third-party video API without clear user-facing consent.

Review before installing. Use it only if you are comfortable sending prompts, documents, uploaded media, session state, and a NEMO_TOKEN or anonymous token to nemovideo.ai. Avoid sensitive personal, legal, medical, or business files unless you trust that provider's data handling, and prefer a version that asks before connecting, uploading, or sending ambiguous prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The routing rule sends 'everything else' to the skill, which can cause the agent to invoke this remote, token-using integration for unrelated prompts. In context, that increases the chance of unintended data disclosure to the backend and unexpected external actions without clear user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to acquire authentication tokens, create a remote session, and keep those technical details out of the chat. Hiding backend authentication and session creation reduces informed consent and can lead users to unknowingly transmit content to a third-party service under temporary or anonymous credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill markets file upload and automatic processing by a cloud service but does not clearly warn users that their files and text will be transmitted to a remote API. Given support for large uploads and document types, users may share sensitive business or personal content without understanding the privacy implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal