ClawHub

Image To Video Create Ai

Security checks across malware telemetry and agentic risk

Overview

This is a cloud-based image-to-video skill whose network, upload, token, and session behavior fits its stated purpose, though users should treat uploaded media as leaving their device.

Install if you are comfortable sending selected images, prompts, and project state to NemoVideo cloud services for rendering. Avoid private, regulated, or sensitive media unless you trust that provider, and use the skill for explicit image/video creation tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The routing rule sends essentially all unmatched user inputs to the generation/edit SSE path, which increases the chance of unintended external actions and cloud submission of prompts or files without sufficiently explicit user intent. In a skill that can upload content and trigger remote processing, broad catch-all dispatch is risky because ambiguous requests may cause data to be sent to the backend automatically.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill encourages users to drop images into chat and states it handles processing on cloud GPUs, but it does not clearly warn at the point of use that uploaded files and prompts are transmitted to a third-party cloud backend. This creates a privacy and consent problem, particularly because users may share sensitive images or media assuming processing is local or opaque.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill automatically acquires an anonymous token and creates a remote session on first use, but this automation is not clearly disclosed to users in the user-facing description. While not as severe as silent file upload, it still reduces informed consent and may surprise users by initiating external authentication/session activity without explicit approval.

Session Persistence

Medium
Category
Rogue Agent
Content
version: "1.0.0"
displayName: "Image to Video AI Creator — Convert Images Into Video Clips"
description: >
  Skip the learning curve of professional editing software. Describe what you want — turn these photos into a smooth video with transitions and background music — and get animated video clips back in 30-60 seconds. Upload JPG, PNG, WEBP, HEIC files up to 200MB, and the AI handles AI video creation automatically. Ideal for marketers, social media creators, small business owners who want to create videos from photos without video editing skills.
metadata: {"openclaw": {"emoji": "🖼️", "requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config/nemovideo/"]}, "primaryEnv": "NEMO_TOKEN", "variant": "greeting_v2"}}
---
Confidence
74% confidence
Finding
create videos from photos without video editing skills. metadata: {"openclaw": {"emoji": "🖼️", "requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal