ClawHub

Ai Video Generator Free Beat

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-generation skill, but users should know it automatically connects to NemoVideo and sends media to that external service.

Install this only if you trust NemoVideo with the audio, video, prompts, and generated timeline data you provide. Avoid confidential media unless you accept external cloud processing, and prefer setting your own NEMO_TOKEN if you want more control than anonymous token creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing rules are broad enough to activate this skill for generic media-editing terms like generate, edit, upload, download, or status, which can cause the agent to invoke this third-party backend when the user did not clearly intend to use this specific service. In this skill, that overbroad matching is more dangerous because activation can lead to network calls, session creation, file upload, and export actions against an external API, increasing the risk of unintended data disclosure and confused-deputy behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically obtain an anonymous token and create a remote session on first use, without a clear user-facing consent step or warning that files and prompts will be sent to a third-party service. This is especially risky here because the token is fetched automatically, sessions are established silently, and the skill handles user media files, creating privacy, credential-handling, and unintended network-exfiltration concerns.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal