ClawHub

Video Editor That Has Ai

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should know their selected videos and prompts are sent to NemoVideo for processing.

Install only if you are comfortable sending chosen videos, URLs, prompts, and related session metadata to NemoVideo's cloud backend. Avoid uploading recordings that show passwords, private documents, customer data, or confidential business material unless that provider is approved for that data, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
Routing 'Everything else' to the SSE action creates an overly broad activation boundary, so ordinary conversation or ambiguous user text could be forwarded to the remote backend as editing commands. In this skill, that increases the chance of unintended data disclosure and unintended cloud-side actions because free-form prompts are sent to an external service with session context.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation language is broad and overlaps with common conversational phrasing, which can cause accidental activation of the skill outside a clearly bounded video-editing request. Because this skill uploads media and sends instructions to a third-party cloud service, accidental triggering has meaningful privacy and action-integrity consequences.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill does not prominently warn users that uploaded video files, prompts, and session data are transmitted to a cloud backend for processing. This is dangerous because users may unknowingly send sensitive recordings or instructions off-device, creating privacy, confidentiality, and compliance risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal