ClawHub

Ai Animation Generator

Security checks across malware telemetry and agentic risk

Overview

This AI animation skill is purpose-aligned, but it can automatically create a remote session and send broad or ambiguous prompts or uploaded media to an external video service.

Review before installing. Use this only if you are comfortable sending prompts, uploaded images/videos/audio, generated client identifiers, and session metadata to NemoVideo for cloud processing. Avoid sensitive, private, regulated, or rights-sensitive media, and prefer explicit animation requests rather than vague prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill invites activation from very generic phrases like sharing text/images or vague creative intent, which increases the chance of accidental invocation during ordinary conversation. Because this skill can automatically authenticate and send user prompts or files to an external cloud API, unintended triggering can lead to privacy-impacting data transfer and unexpected external actions.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table contains a catch-all rule that sends 'Everything else' to the SSE action, effectively treating any unmatched prompt as an instruction to the remote service. In context, this is risky because the backend interaction can create sessions and process user content, so ambiguous input may be exfiltrated or acted on without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill text emphasizes convenience and cloud processing but does not clearly warn users that their text, images, and other media may be uploaded to third-party infrastructure for processing. Given support for rich user files and automatic setup/authentication, the missing disclosure materially increases privacy and consent risk, especially for sensitive or proprietary content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal