ClawHub

Team Video

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that sends user-provided clips and edit instructions to NemoVideo, which matches its stated purpose but requires normal privacy caution for interview media.

Install only if you are comfortable sending uploaded clips, voices, faces, and editing prompts to NemoVideo's cloud service. Avoid confidential interviews, regulated data, or sensitive workplace media unless you have confirmed the service's retention, access-control, and deletion terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing table includes an 'Everything else' catch-all that sends arbitrary user prompts into the SSE editing workflow. In a conversational agent environment, this can cause the skill to activate on unrelated requests and forward unexpected user text to the remote backend, creating privacy, data handling, and unintended-action risks. Because this skill also performs authenticated cloud operations, overbroad invocation is more dangerous than a purely local no-op misroute.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill does mention server-side processing later, but the user-facing getting-started/marketing section does not prominently warn that uploaded media and prompts are sent to a third-party cloud service. For interview clips containing employee likenesses, voices, and potentially sensitive workplace information, lack of clear upfront disclosure can lead to uninformed data sharing and privacy/compliance issues. The context makes this more serious because the content is likely personal media rather than trivial text.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal