ClawHub

Ai Video Editor No Limit

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-generation skill whose remote API, token, upload, and export behavior is aligned with its stated purpose, but users should treat uploaded media as sent to a third-party service.

Install only if you are comfortable sending prompts, uploaded files, and video-related metadata to the backend service. Avoid confidential, regulated, unreleased, or personal media unless you trust the provider’s retention and deletion practices, and confirm upload/export actions before proceeding.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to automatically connect to a remote API and mint or use an authentication token before doing anything else, but it does not require clear user consent or a prominent notice that content and metadata will be sent to a third-party cloud service. This creates a real privacy and trust risk because users may unknowingly cause video data, prompts, identifiers, and session metadata to be transmitted off-device.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill markets seamless cloud editing and export but omits a clear privacy/security warning that uploaded media is processed through a backend service and that session tokens, render jobs, and download URLs are involved. In context, this is especially relevant because users are encouraged to upload raw footage, which may contain sensitive personal, business, or unreleased content, making silent remote processing materially risky.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal