ClawHub

Ai Animation Generator From Image

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud image-to-video skill, but users should know it sends chosen media and prompts to NemoVideo and can create a remote session automatically.

Install only if you are comfortable sending selected images, prompts, project state, and generated media to NemoVideo for cloud processing. Avoid confidential or regulated media, use a dedicated token if possible, and confirm before uploads, exports, or credit-spending actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill advertises simple image-to-animation conversion, but the instructions expose a much broader remote media-editing surface including timeline manipulation, text/audio tracks, state inspection, uploads, and export orchestration. This mismatch can mislead users and hosting platforms about the real permissions and behaviors of the skill, increasing the risk of unintended data handling and overbroad invocation.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Including audio handling, multi-format media composition, and general editing/export capabilities exceeds the stated purpose of animating still images and violates least-privilege design. If invoked, the skill could process additional user content types and perform broader remote actions than users reasonably expect, which expands both privacy and abuse risk.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The prompt guidance 'Share your still images and I'll get started...' is broad enough to encourage activation on generic conversation or any image-sharing context without clear user intent to use this specific skill. Overbroad routing increases the chance the skill performs automatic setup and external API calls when the user did not explicitly request animation generation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Example triggers like 'export 1080p MP4' and especially 'animate this image with a slow' are vague and can match common editing language outside this skill's intended context. Such ambiguous phrases can cause accidental invocation and unnecessary token acquisition, session creation, or file processing against a third-party service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal