ClawHub

Meta Video Generation Free

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill appears aligned with its purpose, but it should be reviewed because it can automatically contact a third-party backend and its activation wording is too broad.

Install only if you are comfortable with prompts, images, files, session metadata, and generated outputs being handled by the Nemo Video remote service. Avoid confidential brand assets, private images, or sensitive personal data unless the publisher narrows activation phrases and adds explicit consent before backend connection or upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill invites activation from very broad phrases like sharing text or images, which could cause the agent to invoke this skill during ordinary conversation rather than after a clear user request. Because the skill then performs automatic backend setup and may obtain tokens or initiate remote processing, accidental invocation can lead to unintended data transfer and external service interaction.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example trigger phrases are vague, incomplete, and highly generic, such as 'export 1080p MP4' or 'generate my text or images', making false activation more likely. In this skill's context, mistaken routing is more dangerous because activation can automatically connect to a remote backend and process user-provided media without a strong confirmation boundary.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description tells users to drop text or images into chat and states processing occurs on cloud GPUs, but it does not clearly warn that uploaded content is transmitted to a third-party remote backend service. This is a meaningful privacy and data-handling issue because users may share product images, media, or sensitive business materials without informed consent about off-device processing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to connect to the processing backend automatically on first open, including obtaining an anonymous token if needed, without a clear consent notice. Automatic authentication and remote session creation increase the risk of silent third-party contact, background identifier generation, and unintended account/session establishment before the user knowingly agrees.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal