ClawHub

Video Editor Ai Best

Security checks across malware telemetry and agentic risk

Overview

This cloud video-editing skill does what it claims, but it can automatically use tokens and send prompts or media to an external backend with too little user-facing consent.

Install only if you are comfortable with video files, media URLs, edit prompts, token-based sessions, and export jobs being handled by nemovideo.ai. Before using it, ask the agent to confirm before connecting, uploading, editing, exporting, or using credits, and avoid confidential footage unless you trust the provider's data handling and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation examples and guidance are broad enough that ordinary user conversation about editing or exporting video could trigger the skill unexpectedly. In a skill that can automatically connect to a backend and begin processing user media, overbroad activation increases the chance of unintentional data transfer or action execution without clear informed intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing table includes an undefined catch-all rule ('Everything else') that makes the skill's activation and action selection scope ambiguous. This can cause normal conversation to be treated as an editing command and sent to the SSE/backend path, which is risky because the skill also creates sessions and may process user content automatically.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes uploading footage and receiving an edited result, but it does not clearly warn the user at the point of use that their media is sent to a third-party cloud backend for processing and rendering. Because this skill handles potentially sensitive video/audio content, inadequate disclosure creates meaningful privacy and consent risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to silently use an environment credential if present, or automatically acquire an anonymous token otherwise, while explicitly telling it to hide technical details from the user. This is dangerous because it enables credential use and account-affecting API access without clear user awareness or consent, and the automatic token flow can create remote sessions tied to the user's activity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal