ClawHub

Video Editing With Obs Studio

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that behaves consistently with its stated purpose, but users should understand that prompts and selected media are sent to NemoVideo's API.

Install only if you are comfortable sending selected recordings, edit prompts, and render requests to NemoVideo's cloud API. Review screen recordings for passwords, private messages, internal documents, or other sensitive content before upload, and treat NEMO_TOKEN like a password.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are extremely broad, such as 'edit my raw footage' and 'export 1080p MP4', which can overlap with ordinary user requests and cause unintended activation. This increases the chance that unrelated content or files are routed to the external service without sufficiently clear user intent, especially when media uploads are involved.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing table ends with a catch-all rule that sends 'Everything else' to the SSE backend, making activation effectively default for any unmatched input. In a skill that can upload files, create sessions, and invoke cloud processing, this ambiguity can cause accidental transmission of prompts or media to a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description emphasizes convenience but does not clearly warn that user footage is uploaded to and processed by a remote cloud rendering service. Because screen recordings can contain sensitive information, missing this disclosure undermines informed consent and creates privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The automatic setup flow instructs the agent to silently obtain an anonymous token and create a remote session before doing anything else, without first warning the user. This is dangerous because it initiates account-like state and third-party interaction automatically, reducing user awareness and consent around authentication, telemetry, and backend usage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal