ClawHub

Ai Video Editor Download Free

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill, so the main risk is privacy from sending videos and prompts to NemoVideo rather than hidden or malicious behavior.

Install only if you are comfortable sending video files, URLs, edit prompts, and related session data to NemoVideo's cloud service. Avoid private or sensitive recordings unless you trust that provider, treat NEMO_TOKEN as a credential, and review credit, expiry, registration, upgrade, and deletion/retention expectations before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation language is broad enough that ordinary video-editing prompts could trigger this skill without the user intentionally selecting a third-party cloud processor. Because the skill uploads user media to an external backend and manages tokens/sessions, overbroad activation increases the risk of unintended disclosure of potentially sensitive video content.

Vague Triggers

High
Confidence
96% confidence
Finding
The catch-all rule routing 'Everything else' to SSE makes invocation boundaries effectively unbounded, allowing many unrelated prompts to be forwarded to the remote backend. In context, this is more dangerous because the backend can process free-form text and uploaded media, so accidental activation could send user content or instructions to an external service without clear intent or informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill's user-facing framing does not prominently warn that uploaded clips are transmitted to a cloud backend for processing. For media-editing skills, uploaded videos may contain faces, voices, locations, or other sensitive data, so inadequate disclosure undermines informed consent and increases privacy risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal