ClawHub

Ai Video Editor Generative

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud AI video-editing skill that uploads user-selected media and prompts to NemoVideo for processing, with no install scripts or hidden local behavior found.

Install only if you are comfortable sending selected videos, images, audio, prompts, and derived editing data to NemoVideo's cloud service. Protect NEMO_TOKEN, avoid uploading confidential media unless you trust the provider's privacy and retention practices, and confirm ambiguous requests before sending them to the remote editor.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The routing table sends all unmatched prompts into the SSE editing workflow, which can cause unrelated user requests or ambiguous messages to be forwarded to the third-party backend. In this skill, that increases the chance of unintended disclosure of user text and accidental invocation of upload/edit actions without clear user intent, especially because the skill auto-connects on first interaction and is designed to process user media in a cloud service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill encourages users to share raw video clips and automatically connect to a remote API, but it does not prominently warn that uploaded media and prompts are sent to a third-party cloud processing service. Because videos often contain sensitive visual, audio, or metadata content, the missing disclosure undermines informed consent and can lead to inadvertent exposure of private or regulated data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal