ClawHub

Free Free Image

Security checks across malware telemetry and agentic risk

Overview

This is a cloud image-to-video skill that clearly relies on NemoVideo APIs, with no executable install payload or evidence of hidden or destructive behavior.

Install only if you are comfortable sending selected images, videos, audio, URLs, prompts, and related metadata to NemoVideo for cloud processing. Avoid confidential or regulated media unless NemoVideo's terms fit your needs, and ask the agent to confirm before uploads or remote processing if you want tighter control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The example invocations are broad and generic enough that the skill could activate on ambiguous requests like 'convert my images' or 'find and use a free stock' without clearly signaling that it will contact a third-party cloud service. That increases the chance of unintended activation and unexpected transmission of user prompts or files to the backend.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing table sends 'Everything else' to the SSE action, making the default behavior to forward arbitrary user input to the remote backend. In a skill that can upload files, create sessions, and process user content in the cloud, this broad fallback materially increases the risk of unintended data disclosure and unauthorized external actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description and setup flow instruct the agent to connect automatically to a cloud backend and process uploads, but they do not present a clear user-facing warning that prompts, files, and metadata will be sent off-platform. This undermines informed consent and is more dangerous here because the skill handles user-supplied media and automatically provisions anonymous tokens and sessions.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal