ClawHub

Image To Video Effects

Security checks across malware telemetry and agentic risk

Overview

This skill has a real image-to-video purpose, but it can automatically create cloud sessions and send broad user prompts or uploaded images to a third-party service without a clear confirmation step.

Install only if you are comfortable sending selected images, prompts, and related session metadata to NemoVideo’s cloud backend. Use it for explicit image-to-video tasks, avoid private or regulated media, and confirm before token creation, upload, generation, or export.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to autonomously acquire anonymous auth tokens, create sessions, and manage credit/account-like workflows without an explicit user-consent gate. This is dangerous because it enables hidden third-party account/session creation and backend interaction, potentially sending user content to an external service and consuming credits under opaque conditions.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The phrase inviting users to 'share your still images and I'll get started' is broad enough to encourage automatic activation from casual conversation, especially when combined with generic media-related prompts. Overbroad invocation increases the chance of accidental routing, causing unintended uploads or remote processing of user content.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger examples ('export 1080p MP4', 'animate this photo with a zoom') are generic commands that could overlap with many unrelated image or media tasks. In a multi-skill environment, this can cause incorrect skill activation and unintended transmission of files or prompts to this service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup instructions direct the agent to connect to a cloud backend, obtain tokens, and create sessions, but the user-facing guidance does not clearly warn that images and prompts will be transmitted off-device. This creates a meaningful privacy and data-handling risk, especially because uploaded media may contain sensitive personal, biometric, or proprietary content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal