ClawHub

Animate Old Photos

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses a paid third-party API to upload a chosen photo, generate a short video, and download the result.

Install only if you are comfortable sending the selected photo, optional motion prompt, and API credentials to Animate Old Photos and its storage provider. Prefer using an environment variable or secret manager for the API key instead of putting it directly in a command, confirm the credit charge each run, and avoid sensitive photos unless you trust the provider's privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to execute shell commands (`curl`, `jq`, `bash scripts/animate.sh`) but does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users and the platform may not realize the skill can run code and transmit local files off-device.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example trigger phrases are generic natural-language requests like 'Animate this old photo' and 'Turn this photo into a video', which are plausible in ordinary conversation and may cause the skill to activate when the user did not explicitly intend to invoke this specific third-party integration. In this skill, unintended activation is more concerning because execution can lead to paid API usage and upload of user images to an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README describes the feature and API usage but does not prominently and explicitly warn that user-supplied images, optional prompts, and related metadata are transmitted to animateoldphotos.org, a third-party external service. In the context of old or personal photos, this omission is security- and privacy-relevant because users may disclose sensitive family images or content without informed consent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad everyday language such as 'animate this photo' and 'bring this photo to life,' which could cause the skill to activate in situations where the user did not intend to use this paid third-party service. In this context, accidental invocation is more dangerous because activation can lead to API-key requests, image upload, and credit consumption.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description and workflow do not present an explicit privacy warning before instructing the agent to upload the user's image to a third-party API. Because photos can contain highly sensitive personal data, faces, metadata, or private content, omission of a clear disclosure undermines informed consent and increases privacy risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The API reference explicitly returns `publicUrl` for uploaded images and later a public `resource` URL for generated videos, but it does not warn integrators that user-provided photos and outputs may be publicly accessible if those URLs are shared, guessed, logged, or exposed in downstream systems. Because this skill handles sensitive personal images, undocumented public exposure creates a real privacy and data-leakage risk in normal use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script explicitly documents and supports passing the API key as the first command-line argument, which can expose the secret via shell history, process listings, job control tools, and audit logs on multi-user systems. Although it also supports an environment variable, encouraging argv-based secret handling is an avoidable credential exposure risk.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
API_KEY="${AOP_API_KEY}"
AUTH=$(curl -s -X POST https://animateoldphotos.org/api/extension/auth \
  -H "Content-Type: application/json" \
  -d "{\"licenseKey\":\"${API_KEY}\"}")
TOKEN=$(echo "$AUTH" | jq -r '.accessToken')
Confidence
93% confidence
Finding
curl -s -X POST https://animateoldphotos.org/api/extension/auth \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
FILE_SIZE=$(stat -f%z "$IMAGE_PATH" 2>/dev/null || stat -c%s "$IMAGE_PATH" 2>/dev/null)
CONTENT_TYPE="image/jpeg"  # use image/png for .png files

UPLOAD=$(curl -s -X POST https://animateoldphotos.org/api/extension/upload-token \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"fileName\":\"$(basename "$IMAGE_PATH")\",\"contentType\":\"${CONTENT_TYPE}\",\"fileSize\":${FILE_SIZE}}")
Confidence
95% confidence
Finding
curl -s -X POST https://animateoldphotos.org/api/extension/upload-token \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
KEY=$(echo "$UPLOAD" | jq -r '.key')
PUBLIC_URL=$(echo "$UPLOAD" | jq -r '.publicUrl')

curl -s -X PUT "$UPLOAD_URL" \
  -H "Content-Type: ${CONTENT_TYPE}" \
  --data-binary "@${IMAGE_PATH}"
echo "Image uploaded."
Confidence
98% confidence
Finding
curl -s -X PUT "$UPLOAD_URL" \ -H "Content-Type: ${CONTENT_TYPE}" \ --data-binary

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal