ClawHub

Product Video Cutter Free

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-cutting skill whose remote processing, token use, and session workflow match its stated purpose, though users should know videos and prompts go to NemoVideo.

Install only if you are comfortable sending product videos, URLs, editing prompts, and related metadata to NemoVideo's cloud service. Avoid uploading confidential, personal, regulated, or unreleased commercial footage unless you trust the provider's privacy and retention practices; using your own NEMO_TOKEN may give you more control over the session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill automatically acquires anonymous tokens and creates remote sessions on first use without an explicit user-consent step. Even if intended for convenience, this introduces account/session lifecycle actions and backend identity creation beyond what users may expect from a simple local-seeming trimming tool, which can cause undisclosed network access and unintended linkage of user activity to remote sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill handles user media and editing prompts through a cloud backend, yet the description does not clearly warn users that their files and instructions will be transmitted off-device. This undermines informed consent and can expose sensitive media, embedded metadata, or confidential business content to a third-party processor unexpectedly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The first-time setup explicitly instructs the agent to auto-connect to the backend and obtain a token if none exists, but it omits a user-facing warning or consent gate. Silent authentication and remote session establishment increase privacy and trust risk because the tool appears to act on behalf of the user with a third-party service before meaningful notice is provided.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal