ClawHub

Video Editing With Effects Free

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward cloud video-editing connector, but users should know their selected media and prompts are sent to NemoVideo's cloud service.

Install only if you are comfortable sending selected videos, images, audio, URLs, prompts, and editing metadata to NemoVideo's cloud service. Avoid confidential or highly personal media unless you trust that provider, and prefer a limited or disposable NEMO_TOKEN if you do not want the skill using an existing account context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest and user-facing description say the skill works with MP4, MOV, AVI, and WebM video clips up to 500MB, but the body later documents support for many more file types, audio/image formats, and URL-based uploads. This mismatch can mislead users about what data may be accepted and transmitted to the remote service, increasing the risk of unintended data exposure and capability creep beyond the declared purpose.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to connect to a remote processing API and upload user media and prompts, but the user-facing introduction does not clearly warn that files and instructions leave the local environment for cloud processing. Videos often contain sensitive personal, biometric, location, or copyrighted content, so undisclosed remote transfer materially affects user privacy and consent.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The skill automatically uses an existing NEMO_TOKEN from the environment without a clear user-facing warning or consent step. Silent reuse of ambient credentials can cause the agent to act under a user's existing account context, potentially consuming credits or accessing account-linked services without informed approval.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal