ClawHub

Ai Image To Video Making

Security checks across malware telemetry and agentic risk

Overview

This is a cloud image-to-video skill that sends selected media and prompts to NemoVideo for rendering, with privacy and consent caveats but no evidence of deception or malicious behavior.

Install only if you are comfortable sending selected images, videos, audio, prompts, and project state to NemoVideo cloud services. Treat NEMO_TOKEN as an account credential, expect anonymous-token and credit/session calls if no token is set, and avoid confidential or regulated media unless you trust the provider’s privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The skill can silently obtain anonymous authentication tokens and interact with credit-bearing backend resources without clear user consent or necessity tied to the advertised task. This creates a risk of unintended account/resource use and obscures to users that the skill is performing autonomous authentication and quota-consuming operations against a third-party service.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The invocation phrases are very broad and overlap with normal conversational language such as 'export' or 'upload', increasing the chance of accidental triggering. In a skill that uploads files and contacts remote APIs, unintended activation can lead to data being sent off-device or backend actions being taken without meaningful user intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to connect to a remote backend, create sessions, and upload user media, but it does not prominently warn users that their files and prompts are transmitted to third-party services. This undermines informed consent and can expose sensitive images, metadata, or prompts to external processing unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal