ClawHub

Image To Video Hd Free

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate cloud image-to-video skill, but it can automatically create remote NemoVideo sessions and route broad or ambiguous prompts to that service without clear user consent.

Review before installing. Use it only if you are comfortable with NemoVideo receiving your images, prompts, URLs, and session/render metadata. Avoid sensitive, confidential, or regulated media unless you trust the provider's privacy and retention terms, and protect any NEMO_TOKEN like a service credential that may consume credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
95% confidence
Finding
Routing 'everything else' to the skill creates an overly broad invocation surface, causing unrelated user prompts to be sent to a third-party backend. In this skill, that increases the chance of accidental disclosure of prompts or files to the remote service and can trigger unintended remote actions under the user's token/session.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The suggested invocation phrases are generic enough that the skill may match ordinary conversation or ambiguous requests not clearly related to media processing. Because the skill automatically connects to a backend and can create remote sessions, vague triggers raise the risk of unintended activation and data transmission.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill asks users to share images and prompts while omitting a clear, upfront notice that both are transmitted to a remote cloud service for processing. This weakens informed consent and can lead users to disclose sensitive media or text without understanding that it leaves the local environment.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Automatically connecting to the backend, generating/acquiring a token, and creating a remote session without a clear warning or consent step can silently establish third-party processing and account state. In a media skill handling user uploads, that is dangerous because it initiates external data flows and authentication actions before the user has clearly agreed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal