ClawHub

Video Editing Ai Adobe

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud video-editing skill whose network, token, upload, and export behavior fits its stated purpose, though users should understand their media is processed by NemoVideo rather than locally or by Adobe.

Install only if you are comfortable sending selected videos, images, audio, edit prompts, and related session metadata to NemoVideo's cloud API. Keep NEMO_TOKEN private, avoid uploading confidential or regulated footage without reviewing the provider's terms, and do not assume Adobe affiliation from the skill name.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The routing rule sends essentially all unmatched prompts to the SSE editing action, which can cause ambiguous or unintended user requests to be forwarded to the third-party backend. In this skill, that backend can consume credits, mutate session state, and process user content, so overbroad intent matching increases the chance of accidental actions and data disclosure to the cloud service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages users to upload video and provide edit instructions, but it does not clearly warn that media, prompts, and session metadata are sent to an external cloud API. Because uploaded videos may contain sensitive visuals, audio, or personal data, the lack of upfront disclosure undermines informed consent and can lead to unintentional exposure of private content to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal