ClawHub

Ai Video Editor Higgsfield

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud video-editing skill, but it can automatically connect to a remote backend and route broad user prompts/media toward that service without clear upfront consent.

Install only if you are comfortable sending selected media, prompts, and render metadata to NemoVideo's cloud service. Use non-sensitive footage, confirm before uploads or exports, monitor token/credit use, and avoid private or regulated content unless you have reviewed the provider's data handling terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The example invocations are broad enough that ordinary user phrasing like "edit my raw video footage" or "export 1080p MP4" could unintentionally trigger this skill. Because the skill uploads media and sends prompts to a remote backend, accidental activation can cause unintended disclosure of user content and unexpected network actions.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The catch-all rule routing "Everything else" to SSE creates an ambiguous trigger surface where many unrelated editing-like requests may be sent to the remote service. In this skill, that is more dangerous because SSE is the primary command path to a cloud backend and can transmit arbitrary user prompts without a clear boundary or opt-in.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documentation encourages users to share raw footage but does not clearly and prominently warn that uploaded media and prompts are transmitted to a third-party cloud GPU/backend service. Since videos may contain sensitive personal, biometric, or location information, lack of upfront disclosure undermines informed consent and increases privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal