ClawHub

Image To Videoopenai

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud image-to-video skill, but users should understand that media and prompts are sent to NemoVideo rather than an OpenAI-operated backend.

Install only if you are comfortable sending selected images, prompts, and generated media to nemovideo.ai. Protect the NEMO_TOKEN, watch for credit-consuming exports, and ask the agent to confirm before uploading sensitive content or starting an export.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation text is broad enough to activate on generic phrases like 'export 1080p MP4,' which are not unique to this skill. In an agent environment, this can cause misrouting of unrelated user requests into a third-party cloud workflow, increasing the chance that files, prompts, or session context are sent to an external service unexpectedly.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The fallback rule routes 'Everything else' to the SSE/generation path, making ambiguous or unrelated prompts trigger remote processing by default. Because this skill sends content to a cloud API and can manipulate session state, such catch-all behavior increases the risk of accidental disclosure of user prompts or media to the external service without sufficiently specific consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to connect automatically to a cloud backend, obtain tokens, and create sessions, but it does not clearly warn users that their uploaded media and prompts will be transmitted to a third-party service. In a media-processing skill handling potentially sensitive images, this lack of disclosure undermines informed consent and can lead to privacy and compliance issues if users share proprietary or personal content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal