ClawHub

Filmora Video Enhancer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it uploads a user-selected video to Wondershare for cloud enhancement and downloads the result, with notable privacy caveats.

Install only if you are comfortable uploading the selected video, its checksum and metadata, locale, and a stable hashed device identifier to Wondershare-hosted cloud services. Do not use it for confidential or sensitive media, and expect task IDs or status URLs to appear in local logs/transcripts during processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill's declared purpose is cloud video enhancement, but it also collects and transmits additional system-derived identifiers and locale data that are not fully reflected in the high-level description. Even though the privacy section mentions a device ID derivation, the extra collection broadens tracking and fingerprinting risk, and printing the task status URL may leak correlatable identifiers into logs or agent transcripts.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill derives a stable device identifier from host properties and transmits it to a third-party cloud service. This enables persistent cross-session tracking of the user's machine and is unrelated to the core function of enhancing a video, creating unnecessary privacy exposure.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill automatically sends the user's locale to the external service without any clear need for basic video enhancement. While lower impact than the device fingerprint, locale is still metadata that can aid profiling and should not be shared by default.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal