ClawHub

Bing Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-editing connector that appears to match its stated purpose, with privacy and activation-scope caveats users should understand.

Install only if you are comfortable sending selected video, audio, image files, URLs, and editing prompts to the NemoVideo cloud API. Avoid sensitive recordings unless you trust that service, use a limited token where possible, and be explicit when invoking the skill so vague requests are not routed into a remote editing session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The startup prompt invites users to share clips or vaguely describe what they want, which can cause the skill to activate on ordinary conversation rather than a clearly scoped user action. In a skill that uploads media and contacts a remote backend, accidental invocation increases the chance of unintended data transfer and surprise external API usage.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The example trigger phrases are extremely generic, such as "generate my video clips" and "export 1080p MP4," which could overlap with many unrelated workflows. Because this skill can establish sessions and send user media/prompts to a third-party service, ambiguous routing materially raises the risk of unintended activation and external data exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to connect to a backend API and create sessions before handling requests, but it does not clearly warn users that their uploaded media and prompts will be transmitted to a remote cloud service. For a media-processing skill handling potentially sensitive video content, missing disclosure undermines informed consent and can lead to privacy and compliance issues.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal