ClawHub

Image To Video No Ai

Security checks across malware telemetry and agentic risk

Overview

This skill is a remote image-to-video workflow that clearly depends on NemoVideo services, with privacy cautions but no evidence of hidden malicious behavior.

Install only if you are comfortable sending selected images, prompts, and render details to NemoVideo’s remote backend. Avoid confidential or regulated media unless you trust that service’s privacy and retention practices, and treat NEMO_TOKEN as a credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The routing table sends 'Everything else' to the SSE action, which can cause this skill to activate for broad, unrelated user requests. In a skill that uploads media and sends prompts to a remote backend, overly broad activation increases the chance of unintended data transmission and user confusion about which service is handling their request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells the agent to send images and instructions to `mega-api-prod.nemovideo.ai`, but the user-facing description does not clearly disclose that uploaded media and prompts leave the local environment and are processed by a third-party service. This weakens informed consent and may expose sensitive images, text, or metadata to an unexpected external processor.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs automatic backend connection on first open and, if no token exists, silently obtains an anonymous token from a remote API. Automatic network access and credential acquisition without a clear warning or opt-in can surprise users and initiate external communication before they understand the privacy and account implications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal