ClawHub

Ai Image To Video Anime

Security checks across malware telemetry and agentic risk

Overview

The skill matches its cloud anime-video purpose, but it can connect to NemoVideo and send broad prompts or uploaded media externally without clear user confirmation.

Install only if you are comfortable with NemoVideo receiving prompts, selected images or URLs, client identifiers, and render-session metadata. Avoid confidential or sensitive media, prefer a limited-purpose token or anonymous token, and ask the agent to confirm before creating a session or uploading content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The routing rule sends virtually any unmatched prompt to the SSE generation workflow, which can cause the skill to transmit user text to the third-party NemoVideo backend even when the user did not clearly intend to invoke this skill or external processing. In an agent environment, broad fallback matching increases the chance of accidental activation, unintended data disclosure, and unexpected cloud-side actions.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The suggested invocation phrases are short and generic, such as 'export 1080p MP4' and 'convert my still images', which overlap with normal user language and can cause accidental skill activation. Because this skill performs automatic setup and connects to a remote service on first interaction, ambiguous triggers raise the risk of unintended token generation, session creation, and data transfer to a third-party API.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to connect to a third-party cloud API and later upload user images and prompts, but it does not present a clear user-facing warning that their content will leave the local environment and be processed by NemoVideo. This undermines informed consent and can expose sensitive images, prompts, and derived metadata to an external service without adequate notice.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal