ClawHub

Video Generator Free Online Ai

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-generation connector, but users should treat prompts and uploaded media as being sent to Nemo Video’s service.

Install only if you are comfortable sending video prompts, images, audio, and video files to the Nemo Video cloud backend. Avoid confidential or regulated media, consider using a dedicated NEMO_TOKEN, and confirm ambiguous generation/edit requests before the agent uploads content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing rule sends essentially all unmatched prompts to the SSE action, which can cause accidental invocation of this skill for unrelated user requests and unintended transmission of user content to the third-party backend. In this skill, that is more dangerous because the SSE path may upload prompts, create sessions, and drive remote editing/render operations, increasing the chance of privacy leakage and unauthorized external actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to upload user files and prompts to a remote service and even says to keep technical details out of the chat, but it provides no user-facing disclosure or consent flow about external transmission, storage, or token-backed processing. This creates a meaningful privacy and data-handling risk, especially because supported inputs include user media files up to 200MB and the backend is a third-party cloud rendering service.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
Hard-coding the session language to English without user choice can cause user prompts or generated outputs to be processed under an unintended language context, which may degrade accuracy, mis-handle multilingual content, or expose sensitive content to avoidable translation/interpretation errors. While not as severe as direct data exfiltration, it is still a trust and correctness issue in a skill that processes arbitrary user media and text remotely.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal