ClawHub

Image To Video I

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud image-to-video helper that sends user images and prompts to NemoVideo for rendering, with no install-time code or hidden local persistence found.

Install only if you are comfortable sending uploaded images, prompts, and render metadata to NemoVideo's remote service using a NEMO_TOKEN or anonymous token. Avoid private, confidential, regulated, or proprietary media unless you trust that provider and understand its privacy, retention, and credit practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
75% confidence
Finding
Routing virtually all unmatched prompts into the generation/edit SSE action creates an overly permissive command surface, increasing the chance that unrelated or ambiguous user input is sent to the remote backend as an editing instruction. In a skill that transmits prompts and media to an external API, this can lead to unintended remote actions, accidental disclosure of sensitive prompt content, or misuse of user data under ambiguous intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill asks users to upload images and describe desired edits, but it does not clearly warn up front that both media and prompts are transmitted to third-party remote processing APIs. This weakens informed consent and increases privacy risk, especially because users may upload personal or proprietary images expecting local or minimally disclosed processing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal