ClawHub

Ai Video Editor Names

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill that sends prompts and media to NemoVideo for rendering, with no local executable code or hidden persistence found.

Install only if you are comfortable using NemoVideo's cloud service for your media. Avoid confidential screen recordings or private media unless you trust that provider, and ask the agent to confirm before uploads, edits, exports, or credit-consuming actions when your request is ambiguous.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example invocations are extremely broad and generic (for example, 'generate my video clips' and 'export 1080p MP4'), which increases the chance the skill is activated when a user did not intend to invoke this specific remote-processing workflow. Because first interaction triggers automatic setup and network calls, accidental activation can lead to unintended token acquisition, session creation, and possible media transmission to a third-party service.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table sends 'Everything else' related to generate/edit/add BGM to the SSE action, creating an overly permissive catch-all activation boundary. In practice, ordinary user discussion about video ideas could be interpreted as an editing command and forwarded to the backend, causing unintended remote processing and disclosure of user prompts or attached media.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Although the skill mentions that rendering happens server-side, it does not give a clear upfront warning that uploaded videos and user prompts are transmitted to a remote third-party processing API. This weak disclosure is important in a media-editing context because videos may contain sensitive on-screen content, voices, or proprietary materials, and users may not realize that their data leaves the local environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal