ClawHub

Ai Image To Video Ltx

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real cloud image-to-video skill, but it needs review because broad prompts and user media can be sent to a third-party backend with limited upfront consent.

Install only if you are comfortable with NemoVideo receiving prompts, uploaded media or media URLs, and session metadata for cloud processing. Avoid private or confidential files, and use explicit prompts naming this skill so ordinary export or edit requests are not routed unexpectedly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are very broad and generic, such as 'export' or 'convert my still images,' which can cause the skill to activate on ordinary user requests not clearly intended for this specific external service. That increases the chance of unintended file upload, remote processing, or token-backed actions against a third-party backend without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The catch-all rule routing 'Everything else' to SSE is overly permissive and effectively turns ambiguous prompts into remote backend instructions. In a chat environment, that can lead to accidental transmission of user content, unintended edits, or confusing delegation of broad requests to an external service beyond the advertised image-to-video scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs automatic backend connection, anonymous token acquisition, and session creation without a clear user-facing notice that data and metadata will be transmitted to a third-party service. This creates a privacy and consent issue, especially because uploaded media and prompts may be sent off-platform before the user understands that cloud processing is involved.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal