ClawHub

Image To Video Ai Free No Sign Up

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud image-to-video skill, with privacy considerations because it sends prompts and media to Nemovideo's remote service.

Install only if you are comfortable sending images, prompt text, session data, and limited client attribution to Nemovideo's cloud API. Avoid confidential or sensitive media unless that third-party processing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The skill instructs the agent to infer and transmit platform attribution from local install paths such as ~/.clawhub/ or ~/.cursor/skills/, which collects host-environment information unrelated to core image-to-video conversion. This creates unnecessary local-environment fingerprinting and leaks client metadata to a remote service, increasing privacy risk and enabling service-side profiling of user setups.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Routing 'everything else' to the generation/SSE action is an overly broad trigger that can cause unrelated user input to be sent to the remote backend without clear intent. In a chat environment, this increases the chance of accidental data transmission, prompt confusion, and backend invocation on content the user did not mean to process through the external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs automatic backend connection and anonymous token acquisition on first open, before providing a clear user warning or obtaining consent for network transmission. This is dangerous because it initiates communication with a third-party service, creates identifiers, and handles authentication material automatically, reducing transparency around when user context and environment data are shared.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal