ClawHub

Qcut Video Edit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent QCut automation skill, but it gives an agent broad local editing, recording, secret-handling, and external AI processing powers without enough safeguards.

Install only if you trust QCut and intend to let an agent operate local video projects. Require explicit approval before launching QCut, revealing keys, enabling the notification bridge, uploading media to AI providers, recording the screen, taking screenshots, exporting project state, or running destructive project/timeline commands; back up projects and avoid confidential media unless the provider and local persistence risks are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly documents that `generate-remotion` invokes `claude -p` with all tools, which grants a secondary agent broad capabilities unrelated to simple media generation. In a prompt-influenced workflow, this expands the attack surface to arbitrary tool use and indirect command/file operations, making prompt injection or unsafe tool invocation materially more dangerous than ordinary editor analysis commands.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented `analyze-video`, `transcribe`, and `query-video` commands accept local files and remote URLs and are explicitly designed to send media to AI vision/STT services, yet the reference omits any privacy or data-handling warning. Users may unknowingly submit sensitive audio/video, creating confidentiality and compliance risk, especially in enterprise or regulated environments.

Missing User Warnings

Low
Confidence
83% confidence
Finding
Commands such as `create-video`, `generate-avatar`, and `transfer-motion` accept remote image/audio/video URLs but do not warn that those referenced assets may be fetched by backend services or third-party model providers. This can expose private or tokenized URLs, leak access patterns, or cause users to process external media without understanding where the content is sent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to build, launch, and drive a local Electron app, including opening projects and switching UI panels, without any warning that these actions change local application state. In an agent setting, this can cause unintended modification of the user's active workspace or trigger side effects in QCut merely from following the documented discovery steps.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents commands that export full project state and write it to disk, but does not warn that this may create local files containing potentially sensitive media/project metadata. In an automated agent workflow, silent disk writes can leak data into unexpected locations or leave behind artifacts the user did not consent to create.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that Claude 'then writes files' into an output folder, but provides no warning that running this command will modify the local filesystem. Silent agent-driven file creation is risky because users may invoke it expecting content generation only, while the underlying process can create or overwrite artifacts in ways that could be abused if prompts or downstream skills are adversarial.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The transcription and analysis sections describe sending media and prompts to external AI providers such as Deepgram and Gemini without any privacy or data-handling warning. This can expose sensitive audio, video, and derived metadata to third parties, and the skill context makes this more concerning because editor users may process proprietary or personal media inside a local creative workflow while assuming it stays local.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes a destructive media deletion command with no warning, confirmation guidance, or recovery note. In an agent skill context, this increases the chance that an LLM or user will invoke irreversible deletion on the wrong media item, causing accidental data loss.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Project deletion is more severe than single-media deletion because it can remove an entire workspace and all associated assets or metadata. In a deterministic editor automation skill, presenting this command without a strong warning materially raises the risk of catastrophic accidental destruction by users or autonomous agents.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The project info and export-state commands can expose sensitive metadata such as local filesystem paths, prompts, job history, export locations, and API-key presence indicators. Omitting a privacy warning may lead users or agents to share these outputs in logs, tickets, or model context, causing unintended disclosure of operational and project-sensitive information.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documented screen recording commands can capture whatever is visible on the user’s screen and write it to disk or discard it, but the documentation provides no warning about privacy, consent, or sensitive data exposure. In a deterministic editor-control skill, this capability is more dangerous because an agent can trigger recording as part of normal automation, increasing the chance of collecting credentials, private content, or other confidential material unintentionally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The screenshot command saves a visual snapshot of the QCut editor window to disk, which may include confidential project content, personal information, or visible secrets. Because this skill is explicitly intended for editor automation and state-aware control, an agent could invoke screenshots routinely, making silent collection and persistence of sensitive visual data more likely.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The command to switch to the API keys panel can expose sensitive credentials on screen, especially when combined with screenshot or screen-recording features documented in the same skill. While the command itself does not exfiltrate data, the surrounding skill context makes credential exposure more plausible because it enables deterministic UI navigation to a secrets-bearing view.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The notification bridge injects QCut user-action descriptions directly into an active Claude PTY session, creating a cross-context prompt/context injection channel. Even on localhost, this can leak sensitive editor activity into the agent session and influence subsequent agent behavior without clear consent, isolation boundaries, or warnings.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented `get-key --reveal` capability exposes full secret values, which can enable accidental disclosure to logs, transcripts, screenshots, or downstream tools if invoked by an agent or user without strong warning. In an agent skill context, secret-revealing operations are especially risky because they can be requested indirectly and exfiltrated through normal output channels.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal