ClawHub

Video Maker Free From Photos

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent cloud photo-to-video tool, but users should understand that it contacts NemoVideo and sends selected media for remote processing.

Install only if you are comfortable sending the photos, prompts, and any media URLs you choose to NemoVideo for cloud processing. Avoid sensitive personal images unless you trust that provider, and confirm which files or URLs will be uploaded before letting the skill generate or export a video.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Low
Confidence
76% confidence
Finding
Inspecting local install paths at runtime to infer platform attribution is unnecessary for the core user task and exposes local environment metadata to a remote service through request headers. Even if limited, this creates avoidable host fingerprinting and can reveal details about the user's tooling or installation layout without explicit user consent.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The startup copy and invocation examples are broad enough that the skill could activate on vague phrases or any uploaded file, increasing the chance of unintended network actions such as automatic token acquisition and backend session creation. In context, this matters because the skill connects to a remote service and may upload user media, so accidental invocation can trigger privacy-impacting behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description emphasizes convenience but does not clearly warn that user photos, images, and session data are sent to a third-party remote processing backend. Because the content handled is personal media, lack of upfront disclosure can lead users to unknowingly transmit sensitive or private images off-device.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions explicitly tell the skill to auto-connect to the backend and obtain an anonymous token without an explicit user-facing warning or consent step. Automatic authentication and session creation against a remote API can expose metadata, consume user-associated service credits, and normalize hidden network activity that users did not knowingly approve.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal