ClawHub

Ai Video Editor India

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that sends chosen media and edit prompts to NemoVideo as part of its stated purpose, with some consent and scoping improvements advisable.

Install only if you are comfortable sending selected videos, images, audio, and edit instructions to NemoVideo's cloud backend. Avoid sensitive, confidential, or regulated footage unless you trust that service's privacy and retention practices, and expect the skill to use NEMO_TOKEN if present or create a temporary anonymous token for processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Low
Confidence
77% confidence
Finding
The skill instructs reading local install/config paths to infer platform and derive request headers, which expands access to local filesystem metadata beyond what is needed for video editing. While the data sought is limited, unnecessary inspection of local paths can leak environment details and normalizes overbroad local access patterns.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation examples are broad enough that ordinary conversation about editing or exporting could trigger the skill unexpectedly. In this skill's context, accidental activation is more concerning because it can lead to cloud session creation, token acquisition, and media upload to a third-party backend without sufficiently deliberate user intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The catch-all routing rule sends 'everything else' to the SSE editing action, which is overly permissive and can cause arbitrary user text to be forwarded to the cloud backend. In this context that increases the chance of unintentional data disclosure, unexpected remote processing, and confusion about what content leaves the local environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill description does not clearly warn users that uploaded media and prompts are sent to a cloud backend for processing. Because users may share personal or sensitive videos, the missing disclosure meaningfully increases privacy risk and undermines informed consent.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill auto-generates or retrieves authentication tokens for a third-party service without clearly warning the user. Even if the tokens are short-lived, silently creating and using credentials for a remote backend can surprise users and obscures the trust boundary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal