ClawHub

Ai Video Editor App Download

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video editor that sends user-selected videos and editing prompts to NemoVideo, with no hidden local execution or destructive behavior found.

Install only if you are comfortable sending chosen videos, audio, images, and editing prompts to nemovideo.ai for cloud processing. Avoid private, regulated, or confidential footage unless you understand the provider's privacy and retention practices, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
Routing all unmatched requests to the editing/SSE action makes the skill overly eager to claim generic user prompts, increasing the chance of accidental invocation and unintended transfer of user content or instructions to a third-party service. In this skill, that risk is amplified because the default path can initiate cloud-backed processing and session activity for broadly phrased requests.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation description is broad enough to overlap with many normal requests about editing, exporting, or polishing media, which can cause the skill to activate when the user did not specifically intend to use this external service. Because activation may lead to cloud session creation and remote processing, mistaken routing has privacy and consent implications beyond simple misclassification.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill asks users to send raw video footage but does not present a prominent upfront warning that uploaded media and editing instructions are transmitted to a remote cloud backend. For a media-processing skill handling potentially sensitive personal recordings, insufficient disclosure undermines informed consent and can expose private content to third-party processing unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal