ClawHub

Free Editor Online

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud video editing skill that openly uses a remote service, with minor privacy and metadata caveats but no evidence of deceptive or destructive behavior.

Before installing, treat this as a third-party cloud video editor: do not upload sensitive media unless you trust the service and understand its retention, sharing, and deletion policies. Keep NEMO_TOKEN private, expect anonymous tokens to expire, and ask the publisher to clarify whether ~/.config/nemovideo/ is actually read or written and why platform attribution is derived from install paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Low
Confidence
92% confidence
Finding
The skill instructs the agent to inspect local install paths such as `~/.clawhub/` and `~/.cursor/skills/` to derive platform metadata unrelated to the user's video-editing request. Even though the data collected is limited, probing local filesystem paths expands the skill's access footprint and can disclose environmental details without a clear user-facing need.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends user prompts, uploaded media, and session data to a remote third-party processing service, but the user-facing getting-started flow does not prominently warn about this before upload or first use. This can lead users to disclose sensitive videos, audio, or metadata without informed consent, especially because the setup auto-connects on first interaction.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal