ClawHub

Editor Baby

Security checks across malware telemetry and agentic risk

Overview

This baby-video editor is purpose-aligned, but it automatically creates a remote session and can send sensitive family videos and broad prompts to a third-party cloud service without clear consent controls.

Review this carefully before installing. Use it only if you are comfortable sending baby videos, editing prompts, and project state to NemoVideo's cloud backend. Keep NEMO_TOKEN private, avoid highly sensitive family footage unless you understand the provider's privacy and retention terms, and prefer an explicit confirmation before uploads or session creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The fallback rule routes all unspecified requests into the editing/SSE path, which is overly permissive for a skill that can upload media, create sessions, and issue backend requests. In practice, ambiguous or unrelated user input could trigger remote processing behavior, increasing the chance of unintended data transmission or backend actions without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill handles sensitive baby videos and sends them to a remote processing backend, but the user-facing description does not prominently disclose that uploads leave the local environment. Because the content likely contains minors and private family footage, insufficient disclosure materially increases privacy risk and undermines informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill automatically obtains an anonymous token and creates a backend session without a clear user-facing warning that credentials are being generated and used on the user's behalf. Silent account/session creation combined with media uploads can expose users to unexpected backend linkage, retention, quota consumption, and privacy implications.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal