ClawHub

Ai Image To Video Hd

Security checks across malware telemetry and agentic risk

Overview

This is a cloud image-to-video skill that behaves consistently with its stated purpose, though users should understand that prompts and media are processed by NemoVideo’s remote API.

Install only if you are comfortable sending provided images, video/audio files, prompts, and related session data to NemoVideo’s cloud service. Keep NEMO_TOKEN private, and avoid using confidential or regulated media unless you trust that provider’s data handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Low
Confidence
92% confidence
Finding
The skill instructs the agent to automatically generate an anonymous token and establish a remote session before doing anything else, without explicit user consent or clear notice that media and prompts will be transmitted to a third-party service. This creates a covert account/session bootstrap and data-sharing flow that can surprise users, incur usage limits/credits, and expose uploaded content to an external processor.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatic anonymous token generation and API connection without explicit warning or consent causes the agent to create remote credentials and transmit user data under the hood. In the context of a media-processing skill that handles uploaded images and prompts, this is materially risky because users may not realize external account/session artifacts are being created or that content leaves the local environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal