ClawHub

Maker Editor

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that sends user-provided videos and editing prompts to an external backend, which fits its purpose but needs clear privacy awareness.

Install only if you are comfortable sending videos, source URLs, and editing instructions to mega-api-prod.nemovideo.ai. Avoid sensitive or confidential media unless you trust the service's privacy, retention, and account controls; prefer an explicit NEMO_TOKEN if you want accountable usage instead of the anonymous starter-token flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to silently obtain an anonymous backend token when no user-provided credential exists, effectively granting backend access without explicit user authentication or consent. This can bypass expected account-level controls, obscure attribution, and enable unreviewed use of a third-party service under ephemeral identities.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Allowing remote URL ingestion expands the attack surface beyond user-uploaded files and can enable server-side fetching of attacker-controlled URLs. If the backend does not strictly validate destinations, this can facilitate SSRF-like behavior, unexpected data exfiltration, or ingestion of non-user-owned media.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The catch-all routing sends nearly any unmatched prompt to the editing/SSE action, which can cause unintended transmission of arbitrary user text to the backend. This increases the chance of overbroad data disclosure, accidental tool execution, and misuse when a user did not intend to invoke the skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The user-facing description emphasizes easy editing but omits that uploaded media and prompts are sent to a cloud backend for processing. This creates a meaningful consent and privacy gap, especially for potentially sensitive video content, because users may not realize their files leave the local environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal