ClawHub

Genv Ai Video Generator

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is a disclosed cloud AI video generator, but users should understand that prompts and media are sent to NemoVideo's backend.

Install only if you are comfortable sending selected prompts, images, audio, or video files to NemoVideo's cloud backend. Avoid confidential or regulated media unless you trust that service, and treat NEMO_TOKEN/session details as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill advertises simple video generation, but its implementation also performs anonymous authentication, token acquisition, and persistent session management against a third-party service. This expands the data and trust boundary beyond what a user would reasonably infer from the manifest, creating a disclosure and consent gap around account/session creation and remote processing.

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
The skill derives and sends platform attribution from local install paths, which is unrelated to the core function of generating videos. Even if low risk, this is unnecessary environment fingerprinting that leaks host metadata to the remote service and increases privacy exposure without clear user benefit.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The invocation rules are broad enough that ordinary video-editing or export requests could route to this skill unexpectedly. That increases the chance that user media or prompts are sent to the external backend without clear intent, especially when generic words like upload, export, status, or download trigger actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages users to upload prompts and media files to a cloud backend but does not clearly warn, at the point of use, that content will be transmitted to a third-party service. This can lead to unintended disclosure of sensitive media, proprietary marketing assets, or personal information contained in uploaded files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal