ClawHub

Video Generator For Free Online

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-generation skill that matches its stated purpose, but users should know their prompts and uploads go to NemoVideo for processing.

Install only if you are comfortable sending prompts, images, video files, URLs, and project state to NemoVideo cloud services. Use a dedicated or disposable token where possible, avoid confidential or regulated media unless the provider terms are acceptable, and ask the agent to confirm before uploads or exports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The suggested trigger phrases are very broad and overlap with ordinary conversation, which can cause the skill to activate unintentionally when a user is speaking generally about generating, exporting, or creating content. In a skill that can upload user files and make authenticated remote API calls, accidental invocation increases the chance of unintended data transfer or actions without clear user intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends user text, images, and possibly other media to a remote cloud backend, but the user-facing description does not clearly warn that their content leaves the local environment for third-party processing. This creates a consent and privacy risk because users may share sensitive product assets or personal media without understanding where the data is processed or stored.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The skill instructs the agent to translate backend GUI-oriented responses automatically without confirming the user's language or locale preferences. This can cause misleading or incorrect action summaries, especially around uploads, edits, and exports, which may result in the user approving or misunderstanding remote operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal