ClawHub

Ai Free Image To Video Generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud image-to-video skill, with privacy considerations around uploading media to Nemo Video and storing a local anonymous client ID.

Install only if you are comfortable sending selected images, prompts, and related metadata to Nemo Video for cloud processing. Avoid sensitive personal, confidential, or proprietary media unless you trust that service's handling, and remove ~/.config/ai-free-image-to-video-generator/client_id if you want to clear the anonymous local identifier.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill presents itself as a simple image-to-video generator, but the documented API surface exposes generic session editing, state inspection, and export capabilities that go beyond the advertised purpose. This mismatch increases the chance of overbroad backend access being used to manipulate or exfiltrate unrelated media/session content, especially if the agent is granted user files and follows broad natural-language instructions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Allowing upload by arbitrary URL expands the trust boundary from local user-supplied images to remote network resources, which is not necessary for the stated function of animating a still photo. If abused, this can enable unauthorized fetching of third-party content, access to internal URLs depending on backend protections, or ingestion of unexpected media types under the guise of a simple image upload flow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to create a local client ID file and perform network authentication automatically, but only tells the user 'Connecting...' and 'Ready!' without meaningful disclosure. Silent file creation and outbound authentication can surprise users, undermine consent, and create privacy risk because identifiers and uploaded media are sent to a third-party backend without an explicit warning.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal