ClawHub

Editor De Video Online

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for cloud video work, but it needs review because it can send user media and prompts to a remote service without clear upfront consent or tight activation scope.

Install only if you are comfortable with prompts, uploaded media, and session metadata being sent to the Nemo Video backend for processing. Avoid sensitive personal, corporate, or biometric media unless the service's retention and privacy terms are acceptable, and confirm before any upload or session creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example invocation phrases are broad and generic enough that normal conversation about editing or exporting videos could unintentionally trigger the skill. Because this skill uploads media and interacts with a remote backend, accidental invocation can expose user content or cause unintended network actions without clear user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends user prompts, uploaded media, and session data to a third-party cloud service, but the user-facing description does not clearly warn about this data transfer up front. In a media-editing context, uploaded files may contain sensitive personal, corporate, or biometric information, so lack of explicit disclosure materially increases privacy and consent risk.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill hard-codes `language":"en"` when creating sessions, which can misrepresent the user's preferred language and cause prompts or metadata to be processed under the wrong locale without consent. This is less severe than direct data exfiltration, but it can degrade safety, transparency, and correctness for multilingual users and may affect how their content is interpreted by the remote service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal