ClawHub

Video Generator Generator

Security checks across malware telemetry and agentic risk

Overview

This cloud video-generation skill is purpose-aligned, but it can automatically create remote sessions and broadly forward user text or files to a third-party backend without clear opt-in.

Install only if you are comfortable sending prompts, scripts, media files, and generated project state to nemovideo.ai. Use explicit commands for video generation, avoid sensitive or proprietary content, and ask the agent to confirm before creating a token, starting a session, uploading files, or forwarding ambiguous text to the backend.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to automatically obtain anonymous tokens and create remote sessions on behalf of the user, which expands the skill from simple video generation into autonomous account/session provisioning against a third-party service. This can trigger unintended external actions, consume third-party resources, and create opaque authorization state without explicit user consent or clear trust boundaries.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The phrase inviting users to 'share your text prompts' is so broad that it could match ordinary conversation and cause the skill to activate when the user did not intend to use this capability. Over-broad invocation increases the chance of accidental uploads, remote API calls, or routing unrelated text into the external video-generation backend.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example trigger 'generate my text prompts' is vague and could overlap with many benign requests unrelated to this skill. Because the skill performs networked actions and may establish sessions automatically, ambiguous triggers materially increase the risk of unintended execution.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The catch-all rule routing 'everything else' to the SSE action is unsafe because it effectively forwards a wide range of unmatched user inputs to a remote backend. In this skill, that means ordinary or unrelated user text may be sent off-platform, increasing risks of data exfiltration, unintended edits, or unauthorized third-party processing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal