ClawHub

Image To Free

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-generation integration that sends user-provided media to NemoVideo and does not show hidden local execution or unrelated access.

Install only if you are comfortable using NemoVideo's remote service for your media. Avoid uploading private or sensitive images unless you trust that service's privacy, retention, and account practices; ambiguous media requests may be routed to this backend.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill defines broad routing terms like "export," "upload," "status," and treats "everything else" as generation input, which can cause unintended activation during ordinary media-related conversation. In this context, misrouting is risky because the matched actions trigger networked backend operations, uploads, session state queries, and exports against an external service, increasing the chance of accidental data transfer or unintended billable/side-effecting requests.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically connect to a remote backend and, if no token is present, obtain an anonymous token and create a session with only a minimal "Setting up..." notice. This is dangerous because it initiates authentication and external network activity without meaningful informed consent, and it provisions credentials plus a remote session that can be used for subsequent uploads and processing of user content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal