ClawHub

Editor Ai Hindi

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should understand it uses NemoVideo cloud sessions and can send selected media and prompts to that service.

Install only if you are comfortable using nemovideo.ai for cloud processing of selected videos, audio, images, URLs, prompts, and project metadata. Use a dedicated or anonymous token where possible, avoid uploading private or regulated footage unless you trust the provider, and review the provider’s retention and account policies before using it for sensitive content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is presented as a Hindi video editing/subtitling tool, but its documented upload surface is broader than that purpose and includes remote URL ingestion plus non-video media types. That expands the trust boundary, increases the chance of users sending unexpected sensitive content to the backend, and can enable unintended fetching of third-party resources without clear user awareness.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill is instructed to obtain anonymous tokens automatically when no credential is present, which gives it the ability to create backend-authenticated sessions without explicit user consent. In a skill context, autonomous credential acquisition is risky because it hides account/session creation from the user and could be abused to route data to a third-party service under disposable identities.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The example triggers are so generic that normal conversation like 'export' or 'upload' could invoke the skill unintentionally. Because this skill connects to a cloud backend and may upload/process user media, accidental activation can lead to unintended data transfer or external API usage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill prominently encourages users to share raw footage and describes backend connection behavior, but does not provide a clear user-facing warning that videos and request text will be sent to a cloud service. For a media-editing skill handling potentially sensitive personal recordings, lack of explicit disclosure materially increases privacy and data handling risk.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The manifest declares use of an environment credential (`NEMO_TOKEN`) but does not clearly warn users that the skill may access locally available credentials to authenticate to an external service. This is a transparency and consent issue: users may not realize the skill can consume existing secrets and act on their behalf.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal