ClawHub

Video Editing Ai Link

Security checks across malware telemetry and agentic risk

Overview

This cloud video-editing skill is purpose-aligned, but it can automatically create remote sessions and send videos or prompts to NemoVideo with weak consent boundaries.

Install only if you are comfortable sending video files, edit prompts, session metadata, and token-authenticated requests to NemoVideo's remote service. Avoid private, confidential, regulated, or third-party footage unless you have permission and understand NemoVideo's privacy and retention terms. Ask the agent to confirm before uploads, edits, exports, or credit-consuming actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The routing table sends all unmatched requests into the edit/generate SSE workflow, which is overly permissive for a skill that can upload media, create sessions, and trigger remote backend actions. Broad catch-all invocation increases the chance of accidental activation from ordinary conversation, causing unintended transmission of user prompts or media to the external service.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The suggested invocation phrases are broad marketing-style language that overlaps with normal conversational requests, making unintended skill activation more likely. In this skill, accidental activation is more sensitive because requests are forwarded to a remote API and may consume credits or expose user-provided content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill processes user media and instructions through a third-party backend, but the user-facing description does not clearly warn that uploads and editing prompts leave the local environment. This creates a privacy and consent risk, especially for potentially sensitive videos, because users may not realize their content is being transmitted to a remote cloud service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal