ClawHub

Video Leonardo Simple

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill is purpose-aligned, but it needs review because it can automatically connect, use or obtain tokens, and send broad requests or media to a third-party cloud API.

Review before installing. Use it only for media you are comfortable sending to the NemoVideo backend, avoid sensitive or proprietary files unless you trust that service's handling, and prefer a dedicated least-privilege NEMO_TOKEN. Confirm that your agent should connect and upload before letting it process files or broad prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The invocation text is broad enough that ordinary conversational requests could unintentionally activate the skill. In an agent environment, overbroad activation can cause unexpected network actions, session creation, token acquisition, or file handling against a remote backend without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The example trigger phrase 'generate my images or prompts' is too vague and can match many benign requests unrelated to this specific tool. That increases the chance of accidental routing into a workflow that uploads content or contacts an external API without the user's informed consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The catch-all routing rule sends nearly all remaining requests into the SSE generation path, making unintended activation likely. In context, that is more dangerous because the SSE path drives remote stateful editing operations and may process user-supplied files or prompts through a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to read and use `NEMO_TOKEN` directly, and to acquire anonymous tokens automatically, without any credential-handling warning or consent boundary. In an agent setting, this can normalize silent use of secrets and remote authentication, increasing the risk of unintended token exposure, misuse of paid accounts, or backend actions performed under user credentials without clear awareness.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill encourages users to drop images or prompts into chat and states it will handle cloud video generation, but it does not clearly warn that uploaded files are transmitted to a remote third-party backend. That omission is security-relevant because users may share sensitive images, videos, or proprietary media without understanding the external data transfer and retention implications.

Session Persistence

Medium
Category
Rogue Agent
Content
version: "1.0.0"
displayName: "Video Leonardo Simple — Generate Video Clips from Images"
description: >
  Skip the learning curve of professional editing software. Describe what you want — turn this image into a short animated video clip — and get AI generated clips back in 30-90 seconds. Upload JPG, PNG, WEBP, MP4 files up to 200MB, and the AI handles AI video generation automatically. Ideal for content creators, marketers, social media managers who want to create video content from still images without manual animation skills.
metadata: {"openclaw": {"emoji": "🎬", "requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config/nemovideo/"]}, "primaryEnv": "NEMO_TOKEN", "variant": "short_prompts"}}
---
Confidence
79% confidence
Finding
create video content from still images without manual animation skills. metadata: {"openclaw": {"emoji": "🎬", "requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal