ClawHub

Generation Editor Generator

Security checks across malware telemetry and agentic risk

Overview

This video-editing skill appears purpose-aligned, but it can automatically contact NemoVideo, create a session, and send prompts or media to a cloud backend before clear user consent.

Review before installing. Use this only for videos, URLs, prompts, and editing state you are comfortable sending to NemoVideo cloud services. Prefer explicit video-editing requests, and avoid installing it if you do not want automatic token/session setup or broad cloud routing for ambiguous prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation examples are broad enough that ordinary phrases like asking to 'export' or 'generate my video clips' could trigger the skill without the user clearly intending to send media to this specific third-party service. In this skill, accidental activation is more concerning because it can lead to automatic backend connection and subsequent cloud processing of user media.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The catch-all 'Everything else' routing rule is overly permissive and can cause unrelated user text to be sent to the remote SSE editing backend. Because the default path is a networked action rather than a local clarification, ambiguous prompts may disclose user content or trigger unintended session activity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes cloud rendering and upload-driven processing but does not clearly warn users that their media and prompts are transmitted to an external backend. This weakens informed consent and increases privacy risk, especially for personal, confidential, or copyrighted media files.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically obtain a token and create a remote session on first open, without a prior warning or consent prompt about network activity. Silent authentication and session creation can surprise users, leak metadata such as language/client identifiers, and establish third-party tracking or billing context before the user knowingly opts in.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal