ClawHub

Easy Video Editing

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose remote token setup, upload, editing, and export behavior matches its stated purpose, with privacy considerations for uploaded media.

Install only if you are comfortable sending videos, prompts, and any provided media URLs to mega-api-prod.nemovideo.ai for cloud processing. Avoid sensitive personal, business, or private-location footage unless you trust that provider's privacy and retention practices, and be aware the skill may request a temporary anonymous token automatically when NEMO_TOKEN is not already set.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill marketed as casual video editing expands its documented capability to ingest arbitrary URLs and many non-video media types, increasing the data-ingestion surface beyond user expectations. This can enable unreviewed remote content fetching, accidental processing of sensitive third-party resources, or misuse as a generic media import proxy.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill automatically acquires an anonymous backend token and creates a session without an explicit user approval step, which is credential handling behavior beyond simple local editing assistance. This creates a hidden authentication flow to a third-party service and can cause unintended account/session creation, backend usage, and opaque transmission of user data.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
Deriving `X-Skill-Platform` from local install paths exposes environment and platform metadata unrelated to the user’s editing request. While lower severity, it unnecessarily fingerprints the runtime and leaks host-context information to the remote backend.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill does not clearly warn upfront that uploaded videos and prompts are transmitted to a cloud backend for processing, despite the workflow depending on remote APIs and cloud GPUs. Users may share sensitive recordings under the mistaken assumption that processing is local or minimally disclosed, creating privacy and compliance risk.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
Forcing language selection based on auto-detection without user choice can send inferred linguistic or locale information to the backend and may mis-handle user content in multilingual contexts. This is mainly a privacy and transparency issue rather than a severe exploit path, but it still removes user control over a remotely transmitted setting.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal