ClawHub

Video Editor For

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent cloud video editor, but users should understand that their media, prompts, and render activity are sent to the NemoVideo API.

Install only if you are comfortable sending uploaded videos, audio, images, prompts, and draft/render metadata to NemoVideo's cloud API. Treat NEMO_TOKEN as a service credential, avoid sensitive footage unless you trust the provider's privacy and retention practices, and ask the agent to confirm before exports when credits or account quota matter.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The routing table sends all unmatched requests to the SSE editing workflow, which means ambiguous or unrelated user inputs may trigger remote processing actions by default. In a skill that can upload media, create sessions, and invoke third-party APIs, broad fallback routing increases the chance of unintended external requests, privacy-impacting processing, and confusing behavior without clear user consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill description encourages users to send raw video footage but does not clearly disclose that files are uploaded to and processed by a remote third-party API on cloud GPU nodes. This creates a meaningful privacy and data-handling risk because users may share sensitive media under the assumption processing is local or first-party.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill silently uses an existing NEMO_TOKEN or automatically generates an anonymous token via a remote auth endpoint, but this behavior is not transparently disclosed to the user. Automatic credential acquisition and session creation can surprise users, obscure which identity or quota is being used, and cause unintended account, billing, or attribution consequences.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal