ClawHub

Gif Video Maker Free Download

Security checks across malware telemetry and agentic risk

Overview

This is a cloud GIF/video-to-MP4 helper that uses NemoVideo APIs as described, though users should be aware their prompts and media may leave the local environment.

Install only if you are comfortable sending the prompts, files, and generated video state you provide to NemoVideo for cloud processing. Avoid confidential or sensitive media, use a dedicated token when possible, and be deliberate with upload/export commands because the skill's trigger language is broad.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill invites activation with very generic phrases like 'tell me what you're thinking' and broad examples such as 'export 1080p MP4', which can cause the skill to engage when a user did not clearly intend to invoke this external-processing workflow. In this context, accidental invocation matters because the skill is designed to immediately connect to a third-party API and potentially send user prompts or media off-platform.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The keyword routing uses very broad matches like 'export', 'download', 'status', and 'upload', which are common words that may appear in many unrelated conversations. Because these rules can trigger actions in a skill that performs authenticated external API calls and file handling, unintended invocation could expose user content or cause actions the user did not mean to initiate.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description and onboarding do not clearly warn users that their prompts, uploaded media, and session data are sent to external cloud APIs operated by a third party. This lack of disclosure is security- and privacy-relevant because users may share sensitive media under the assumption processing is local or platform-native, while the skill is actually transmitting data to remote services and creating remote sessions/tokens.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal