ClawHub

Image To Video Online Free

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud image-to-video connector, but users should know their selected media and prompts are sent to nemovideo.ai.

Install only if you are comfortable sending selected images, URLs, prompts, and render state to nemovideo.ai. Avoid confidential, regulated, or private media unless you trust that provider, and treat the anonymous token/session as a temporary credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as a narrowly scoped image-to-video tool, but the body grants much broader multimedia editing, export, and format-conversion behavior. That mismatch can mislead users and calling agents about what data and actions are in scope, increasing the chance of unintended uploads, transformations, or downstream tool use beyond the advertised purpose.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation phrases are extremely generic (for example, 'convert my still images' or 'export 1080p MP4'), making accidental invocation likely during ordinary conversation. In a skill that performs uploads, token generation, and remote processing, overbroad triggering can cause unintentional data transfer or action execution without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The catch-all rule routes 'everything else' into the generation/SSE flow, which is overly permissive and may classify unrelated requests as commands for the remote backend. Because that backend can mutate session state and trigger processing, ambiguous prompts could be sent off-platform or interpreted as editing instructions without clear user consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs automatic anonymous token creation, session establishment, and cloud processing without a clear up-front consent and privacy warning. This is dangerous because user content and metadata may be transmitted to a third-party service and a new credential/session may be created silently, which undermines informed consent and can expose sensitive images or usage data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal