ClawHub

Video Editing

Security checks across malware telemetry and agentic risk

Overview

This is a coherent video-editing skill, but it includes face-swap guidance and third-party media-upload API examples without enough consent, privacy, or credential-handling guidance.

Review before installing. Use cloud/API workflows only after confirming the footage is allowed to leave your environment and the provider terms are acceptable. Keep API keys out of chats and source files, prefer local tools for confidential media, and use face-swap features only with clear consent and never for impersonation, harassment, or non-consensual synthetic media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill documents face-swapping commands in a general-purpose video editing skill without a strong, necessity-based justification or restriction. Because face swapping enables impersonation, non-consensual synthetic media, and reputational abuse, including it as a normal effect increases the risk of misuse by downstream agents or users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill includes concrete API examples that send user video content to third-party services, but it does not warn users that their media will leave the local environment or describe the privacy implications. Because videos can contain faces, locations, screens, or other sensitive content, this omission can lead to unintentional disclosure to external processors.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Runway example instructs users to send a video reference to a third-party API but does not warn that video content or accessible video URLs may be transmitted off-platform. In a video-editing skill, users may process sensitive or proprietary footage, so omission of a privacy/data-transfer warning can lead to unintended disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The only caution provided is 'Use responsibly, ethical concerns,' which is too vague for a capability that can facilitate deepfake-like impersonation and privacy violations. Without clear warnings on consent, legality, reputational harm, and misuse restrictions, the documentation normalizes a high-risk operation and fails to set adequate safety boundaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill includes a concrete example that sends a video reference to a third-party API but does not disclose data leaves the local environment or discuss privacy, consent, retention, or service-side processing. In a video-editing context, uploaded videos may contain sensitive personal, client, or proprietary content, so omission of an explicit warning can lead to unintended external disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Replicate example uploads a local video file to a third-party external service, but the skill does not warn users that their video data will leave their machine and be processed remotely. Videos often contain sensitive personal, biometric, location, or proprietary content, so omission of a transmission/privacy warning can lead to unintended disclosure and compliance issues.

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

response = requests.post(
    "https://api.dev.runwayml.com/v1/color-grade",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
Confidence
88% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

response = requests.post(
    "https://api.dev.runwayml.com/v1/color-grade",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
Confidence
88% confidence
Finding
requests.post( "https://api.dev.runwayml.com/v1/color-grade", headers={"Authorization": f"Bearer {API_KEY}"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
import requests

response = requests.post(
    "https://api.dev.runwayml.com/v1/color-grade",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
        "video_url": "https://...",
Confidence
84% confidence
Finding
https://api.dev.runwayml.com/

External Transmission

Medium
Category
Data Exfiltration
Content
import requests

# Example: Remove background
response = requests.post(
    "https://api.dev.runwayml.com/v1/green-screen",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={"video_url": "https://..."}
Confidence
85% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
import requests

# Example: Remove background
response = requests.post(
    "https://api.dev.runwayml.com/v1/green-screen",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={"video_url": "https://..."}
Confidence
85% confidence
Finding
requests.post( "https://api.dev.runwayml.com/v1/green-screen", headers={"Authorization": f"Bearer {API_KEY}"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
# Example: Remove background
response = requests.post(
    "https://api.dev.runwayml.com/v1/green-screen",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={"video_url": "https://..."}
)
Confidence
80% confidence
Finding
https://api.dev.runwayml.com/

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal