ClawHub

Ai Video Maker From Image

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud image-to-video skill, but users should know their prompts and media may be sent to nemovideo.ai.

Install only if you are comfortable sending uploaded images, prompts, and render/session metadata to nemovideo.ai for cloud processing. Avoid confidential or sensitive media, and prefer using your own NEMO_TOKEN if you do not want the skill to request an anonymous starter token automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation text is broad enough that normal conversation about images or video creation could activate the skill unintentionally. Because the skill immediately initiates setup to a third-party cloud backend and may begin handling user files and prompts, accidental activation can lead to unintended data transmission and user confusion.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Example triggers like "convert my images" and "export 1080p MP4" are generic phrases that can appear in ordinary user requests unrelated to this specific skill. This increases the chance of unintended routing into a workflow that authenticates to an external service and processes user media without sufficiently explicit consent.

Vague Triggers

High
Confidence
97% confidence
Finding
The catch-all rule routing "Everything else" to the SSE action effectively makes the skill a default handler for a wide range of prompts, which is overly permissive. In this skill, that is especially risky because SSE sends user messages to a remote backend, so unrelated or sensitive text could be exfiltrated to the cloud service through accidental activation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The user-facing description emphasizes convenience but does not clearly disclose that uploaded files, prompts, and session data are sent to a third-party cloud processing backend. This lack of transparency undermines informed consent and can expose sensitive images or text to an external service without the user understanding where their data is going.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal