ClawHub

Editor No Generator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a cloud video-editing skill, but it may send user prompts and media to NemoVideo too broadly and without clear consent.

Review before installing. Use it only when you intend to send your clips and edit instructions to NemoVideo, avoid private or regulated media unless you understand the provider’s handling, and require explicit confirmation before uploads, session creation, or credit-consuming actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill encourages invocation from very generic phrases like "share your existing video clips" or "tell me what you're thinking," which can cause the agent to activate on ordinary conversation rather than clear user intent. In a skill that performs cloud setup, acquires tokens, and uploads media, accidental invocation can lead to unintended external API calls and processing of user data.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing rule "Everything else (generate, edit, add BGM…) → §3.1 SSE" is an overbroad catch-all that can sweep unrelated requests into the cloud editing workflow. Because SSE sends user messages to a remote backend, this creates a risk of unintended data disclosure, unexpected account usage, and surprise execution of external actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to connect to a cloud backend, create a session, and process uploaded video clips, but it does not clearly warn users that their media and editing instructions will be transmitted to a third-party service. Since videos may contain sensitive personal, corporate, or copyrighted material, the lack of an explicit privacy/data-transfer notice undermines informed consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal