ClawHub

Ai Image To Video Mod

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud image-to-video skill, but users should know it sends selected media and prompts to nemovideo.ai and creates a provider session.

Install only if you are comfortable sending chosen images, prompts, and render metadata to nemovideo.ai. Keep any NEMO_TOKEN private and avoid confidential, regulated, or client-sensitive media unless that provider is approved for your use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill is instructed to silently obtain anonymous tokens and create backend sessions automatically, which causes the agent to authenticate to a third-party service and provision remote resources without explicit user consent. In this context, that expands the trust boundary and can lead to unintended account creation, hidden remote processing, and transmission of user data to an external service.

Vague Triggers

Medium
Confidence
76% confidence
Finding
Routing virtually all unmatched input to the SSE generate/edit path is overbroad and may cause unrelated user messages to be forwarded to the remote backend. In a skill that sends prompts to an external service, this increases the risk of unintended data disclosure and unexpected actions being taken on ambiguous input.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup flow and API instructions show that images, prompts, and session data are transmitted to a remote backend, but the skill does not clearly warn users of this at the point of use. For a media-processing skill handling user uploads, lack of transparent disclosure can result in users unknowingly sending potentially sensitive content to a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal