ClawHub

Ai Video Editor Job Posting

Security checks across malware telemetry and agentic risk

Overview

This skill does the advertised remote video generation, but it automatically creates or uses a NemoVideo token/session and can send job materials to a third-party backend without clear user consent.

Review before installing. Use it only if you are comfortable sending recruiting text, documents, media, and prompts to NemoVideo's remote service. Do not upload confidential hiring plans, personal applicant data, or regulated information unless your organization has approved the service and its retention/deletion terms. Prefer an explicit, user-supplied NEMO_TOKEN and confirm before any upload, generation, export, or credit-consuming action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill directs the agent to obtain and use bearer tokens, including anonymously minting a starter token, before servicing the user. That expands the skill from simple video conversion into autonomous authentication and account provisioning against a third-party service, which can trigger external side effects, create untracked accounts/sessions, and use remote resources without clear user consent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Routing 'everything else' to the generate/edit action is overly broad and can cause unintended prompts to be sent to the remote backend. In a skill that uploads files and invokes paid or state-changing API actions, loose intent matching increases the chance of accidental data transmission, unwanted edits, or resource consumption from ambiguous user input.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises file upload and automatic AI video generation but does not present a clear, prominent warning that user-provided documents and media are transmitted to a third-party remote API for processing. Because job postings and attached files may contain confidential business information or personal data, silent or under-disclosed transfer creates a real privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal