ClawHub

Image To Video Editing Ai

Security checks across malware telemetry and agentic risk

Overview

This AI media skill has a coherent purpose, but it may contact a remote video service, use or create a token, and route broad requests into generation without clear user consent.

Review before installing. Use it only if you are comfortable sending prompts, images, or videos to nemovideo.ai and with the agent using or creating a NEMO token/session. Prefer explicit commands and confirm before any upload, render, export, or credit-consuming action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
84% confidence
Finding
Routing effectively all unmatched prompts to the edit/generate action makes accidental invocation likely and weakens user intent verification. In a skill that uploads media and sends prompts to a remote backend, broad triggers can cause unintended processing of user content or external API calls from casual conversation.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The example phrases are short and generic enough to overlap with normal conversation, which can cause the skill to activate when the user did not clearly intend to start a backend workflow. In this skill, accidental activation matters because it can lead to connection establishment, token use, and remote processing of user-supplied files.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs the agent to silently use an existing token or obtain a new anonymous token, then hide the technical details from the user. That creates undisclosed authentication and third-party service access on the user's behalf, undermining informed consent and making it harder for users to understand account, quota, and data-handling consequences.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill asks users to share images and immediately establishes a remote backend connection, but does not warn that files and prompts will be transmitted to an external service. Because the content may include personal or sensitive images, the absence of a privacy/data-transfer disclosure materially increases the risk of unintentional exposure.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
Hard-coding the session language to English without user choice can mis-handle user instructions, degrade consent notices, and produce incorrect edits for non-English speakers. In a workflow involving remote processing and export actions, language mismatch can also cause users to misunderstand what is being sent or rendered.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal