ClawHub

Image To Video King Ai

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud image-to-video workflow, with no evidence of hidden installation, unrelated file access, or destructive behavior.

Install only if you are comfortable sending selected images, prompts, and project/session data to NemoVideo's cloud service. Avoid using it with sensitive personal, confidential, or regulated media unless you have reviewed the service's privacy and retention terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The quick-start prompts are generic enough that ordinary user language like "convert my still images" or "export 1080p MP4" could activate or steer the skill without a strong, explicit invocation boundary. In a skill that uploads user media and interacts with a cloud backend, broad trigger phrasing increases the chance of unintended activation and accidental transmission of user content or requests to third-party services.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table includes an "Everything else" catch-all that sends unmatched requests into the SSE generation path, which creates ambiguous activation boundaries and can cause unrelated user requests to be processed by this external service. Because the skill supports uploads, editing, and cloud rendering, a catch-all route materially raises the risk of unintended backend calls, privacy leakage, and confusing cross-skill behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Although the document mentions a cloud processing backend, it does not present a clear, prominent user warning that uploaded images, prompts, and derived project state are sent to and processed by a remote third-party service. For a media-handling skill, this omission can lead users to share sensitive photos or text without informed consent, increasing privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal