ClawHub

Ai Image To Video Adobe

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud image-to-video skill that is broadly coherent, but users should know their media and prompts go to NemoVideo, not Adobe.

Install only if you are comfortable sending selected images, videos, audio, URLs, editing prompts, and related session metadata to NemoVideo for cloud processing. Treat the Adobe wording as descriptive branding, not proof of Adobe ownership or affiliation, and avoid submitting private media or internal URLs unless you trust the service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as a narrow image-to-video converter, but its documented capabilities extend into broader media editing, text/audio manipulation, URL ingestion, and multi-format export. This creates a scope mismatch that can mislead users and reviewers about what data and actions the skill can perform, increasing the risk of unexpected data handling and unauthorized workflow expansion.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
URL-based ingestion allows the skill to fetch remote content that the user may not have uploaded directly, which exceeds the stated purpose of converting user-provided images into videos. This increases risk of unintended external requests, ingestion of sensitive/internal URLs, and processing of third-party content without clear user awareness.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance uses broad natural-language examples that can match common user phrasing, making accidental invocation more likely. In combination with cloud upload and session creation behavior, this can cause unintended transmission of prompts or files to a third-party backend when users did not mean to invoke this specific skill.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table sends all unmatched requests to the SSE action via an unbounded catch-all rule. That means arbitrary user requests may be forwarded to the remote backend, greatly expanding the skill's effective scope and increasing the chance of accidental data disclosure, unintended processing, and abuse of the remote service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description does not clearly disclose that user prompts and uploaded images are sent to a cloud backend for processing, despite the workflow depending on remote APIs and cloud GPUs. This is a privacy and consent issue because users may provide sensitive media under the assumption that processing is local or limited.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal