ClawHub

Text To Video Editing Ai

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill, with some ordinary privacy and routing caution because footage and prompts go to NemoVideo for processing.

Install only if you are comfortable sending raw footage, media URLs, edit prompts, and timeline metadata to NemoVideo's cloud service. Use explicit video-editing requests, avoid sensitive or confidential footage unless you accept the vendor-processing risk, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The suggested trigger phrases are broad enough that ordinary user language like 'edit my raw video footage' or 'export 1080p MP4' could activate the skill without clear intent. Because this skill uploads media to a third-party cloud backend and performs account/session setup, accidental activation could cause unintended data disclosure or external API use.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The routing table contains an 'Everything else' catch-all that sends most unmatched requests into the SSE editing flow. This creates a high risk of over-triggering on unrelated conversation, potentially causing unintended remote processing, session actions, or transmission of user-provided content to the vendor backend.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill text says it will 'handle the AI text-driven editing on cloud GPUs' but does not present a prominent, upfront privacy warning that uploaded video is transmitted to a third-party cloud service. Since users may share raw footage containing sensitive personal, business, or copyrighted material, insufficient disclosure increases the risk of uninformed consent and privacy exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal