ClawHub

Video Maker Hd

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill, but users should understand that clips and editing prompts are sent to NemoVideo for processing.

Install only if you are comfortable sending video clips, edit instructions, timeline state, and render jobs to NemoVideo's cloud service using NEMO_TOKEN or an automatically created anonymous token. Avoid sensitive or confidential footage unless you understand the provider's retention and deletion practices, and ask for confirmation before uploads or exports when the request is ambiguous.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The startup prompt and example invocations are broad enough that ordinary conversation like "create my video clips" or vague planning language could trigger the skill unexpectedly. Because this skill uploads user media and initiates cloud-backed processing, accidental activation can cause unintended data transfer to a third-party service and consume credits or create remote sessions without clear user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table includes a catch-all rule sending "Everything else" to the SSE editing path, which makes nearly any unmatched user text eligible to trigger backend actions. In a skill that can create sessions, send prompts to remote services, and mutate project state, ambiguous routing increases the chance of unintended remote operations and privacy-impacting data disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The user-facing description emphasizes ease of use but does not clearly warn, at the point of use, that uploaded media and prompts are sent to a cloud processing backend. Since video files may contain sensitive personal or proprietary content, insufficient disclosure undermines informed consent and can lead to unintended exposure of private media to third-party infrastructure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal