ClawHub

Easy Video Editor With Ai

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should know their selected videos, prompts, and session metadata are sent to NemoVideo's remote service.

Install only if you are comfortable sending the videos you choose, editing prompts, media URLs, and render/session metadata to mega-api-prod.nemovideo.ai. Avoid confidential or sensitive footage unless you trust that service's privacy and retention practices, and keep requests clearly scoped to video editing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The routing table sends all unmatched prompts to the SSE editing action, which can cause unrelated user input to be forwarded to a remote backend without sufficient intent confirmation. In this skill, that increases the chance of accidental data disclosure or unintended remote operations because arbitrary free-form requests may be treated as editing commands and sent off-platform.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The getting-started and descriptive text encourage users to upload raw footage and provide instructions, but they do not clearly warn that both video content and prompts are transmitted to a cloud processing backend. Because video footage may contain sensitive personal, workplace, or location data, the lack of an upfront disclosure undermines informed consent and can expose users to privacy and compliance risks.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The setup flow instructs the agent to generate a UUID client identifier, request an anonymous token, create a session, and attach attribution headers, but it does not disclose to the user that these identifiers and environment-derived metadata are sent to the backend. While less severe than uploading the actual video, this still creates an undisclosed metadata-sharing pathway that may affect privacy expectations and platform fingerprinting.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal