ClawHub

Video Editing For Beginners Youtube

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-editing helper that sends user-chosen clips and editing prompts to NemoVideo, which matches its stated purpose but has privacy considerations.

Install only if you are comfortable sending selected video files, URLs, and editing instructions to NemoVideo's cloud service. Keep NEMO_TOKEN private, avoid uploading sensitive footage unless you have reviewed the provider's privacy and retention terms, and confirm uploads/exports before processing important media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The example invocation phrases are extremely broad (for example, generic requests to edit, export, or trim media) and can cause the skill to activate during ordinary conversation without clear user intent. In this skill, unintended activation is more sensitive because it can initiate remote session setup and lead users toward uploading video files to an external service.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table includes an 'Everything else' catch-all that sends unmatched input into the SSE editing workflow, which is overly permissive and can interpret unrelated or ambiguous user text as a command. Because the default path reaches a remote backend and may affect session state, this broad routing increases the chance of unintended processing and data disclosure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill encourages users to share raw video clips but does not clearly warn that those files are uploaded to and processed by an external third-party service. This omission undermines informed consent and is more concerning here because uploaded videos may contain sensitive personal, workplace, or location data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal