ClawHub

Agentic Video Editor

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-editing integration, but users should know their media and prompts go to NemoVideo for processing.

Install this only if you are comfortable sending video, audio, images, prompts, and project state to nemovideo.ai for cloud processing. Avoid confidential or regulated footage unless you have reviewed the service terms, and use a dedicated limited token where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to mint, use, and store authentication tokens, including anonymous-token acquisition and persistent session handling. While this supports the service workflow, it expands the skill from simple video editing into credential management, increasing the risk of unnecessary secret handling, token leakage, or reuse beyond the user's informed expectations.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill directs inspection of local install paths and config-related locations to infer platform and set attribution headers, which is not necessary for editing a user's video. Unneeded environment and filesystem inspection increases privacy exposure and creates an avenue for over-collection of host metadata unrelated to the requested task.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation examples are broad and include generic phrases like 'export 1080p MP4' and 'edit my raw video footage,' which could accidentally route unrelated user messages into this skill. Overbroad triggering can cause unintended remote processing, token use, or upload prompts without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends uploaded media to a third-party remote backend and creates backend sessions, but the setup flow emphasizes automatic connection and does not clearly foreground this data transfer as a user warning. For potentially sensitive raw footage, insufficient disclosure can lead to privacy harm, compliance issues, and uninformed sharing of personal or confidential content.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal