ClawHub

Ai Video Editor Kapwing

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-processing skill that uses NemoVideo tokens and remote uploads in ways that fit its stated purpose, but users should understand the privacy and credential implications before using it.

Install only if you are comfortable sending selected videos, prompts, and related render metadata to NemoVideo's cloud backend. Avoid confidential or regulated footage unless you trust the provider's privacy and retention practices, and protect NEMO_TOKEN because it authorizes use of the service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages users to upload raw videos while the backend processes them on a remote cloud service, but it does not present a clear upfront disclosure at the point of use that user media is transmitted off-device. This can cause users to unknowingly send sensitive screen recordings, personal videos, or confidential business material to a third-party service, creating privacy and data-handling risk.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The setup flow silently checks for `NEMO_TOKEN`, can obtain an anonymous token from a remote service, and stores a session ID for subsequent API calls without clearly informing the user. While this is functional behavior, the lack of explicit disclosure reduces informed consent around credential handling and persistent session use, especially in environments where tokens may correspond to billable credits or identifiable account activity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal