ClawHub

Name Of Video Editing

Security checks across malware telemetry and agentic risk

Overview

This cloud video-editing skill appears useful, but its broad automatic routing can send media or prompts to a third-party backend without clear enough user control.

Install only if you are comfortable using Nemo Video as a third-party cloud processor for selected videos and editing instructions. Before uploading private, sensitive, workplace, or regulated media, confirm what will be sent, when the backend connects, and whether you can approve each upload or edit action explicitly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation examples are broad and invite activation from generic editing-related phrases, which increases the chance the skill will engage when the user did not clearly intend to use this remote video-editing service. In this skill, unintended activation is more concerning because it can lead to backend connection, token acquisition, and potential upload of user media to a third-party cloud workflow.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The catch-all rule routes 'everything else' to the SSE editing action, creating an overly permissive trigger path for arbitrary prompts. Because the SSE path sends user text to a remote backend and may mutate session state, ambiguous routing can cause unintended data disclosure or actions without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes cloud rendering behavior but does not present a clear user-facing warning at the point of use that uploaded videos and instructions are transmitted to a remote service. For a media-processing skill handling potentially sensitive recordings, lack of explicit disclosure undermines informed consent and raises privacy risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal