ClawHub

Best Video Edit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should know their selected media and edit prompts go to NemoVideo’s remote service.

Install only if you are comfortable sending selected videos, audio, images, edit instructions, and session metadata to NemoVideo. Treat NEMO_TOKEN like a password, avoid private or regulated footage unless you trust the provider, and be aware that opening the skill may create a remote session automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The suggested invocation phrases are broad and natural enough that they could be triggered during ordinary conversation, especially because they include generic editing verbs like "edit" and "export." In an agent environment, this can cause unintended activation of the skill and lead users to begin workflows such as authentication or media processing without sufficiently explicit intent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The catch-all rule routes "everything else" to the SSE action, which is effectively an unbounded fallback for arbitrary user text. Because SSE sends free-form messages to a remote backend, ambiguous routing can cause accidental transmission of unrelated or sensitive user content and may trigger remote actions without clear user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill clearly relies on a remote cloud rendering pipeline and uploads user media to external services, but it does not present a prominent user-facing warning before encouraging upload of video files. This creates privacy and data-handling risk because users may share sensitive footage without understanding that content, metadata, and session state are sent to third-party infrastructure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal