ClawHub

Tiktok Editor Ai

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should understand that selected media and editing prompts are sent to NemoVideo's backend.

Install/use this only if you are comfortable sending chosen videos, audio, images, and edit prompts to NemoVideo's cloud backend. Avoid sensitive or confidential footage, and ask for confirmation before uploads, edits, exports, or credit-affecting actions if you want tighter control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation examples use very generic phrases like "export 1080p MP4" and "edit my raw video clips," which overlap with ordinary user requests and can cause the skill to activate when the user did not explicitly intend to invoke this specific cloud-connected tool. Because the skill performs network setup, token acquisition, session creation, and potentially uploads user media to a third-party service, accidental activation can lead to unintended data transfer and external API use.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The catch-all rule routing "Everything else" to SSE creates an effectively unbounded trigger surface for arbitrary editing-related text, making it easy for normal conversation to be sent to the backend without a strong signal that the user intended to use this skill. In this skill's context, that is more dangerous because SSE messages are transmitted to an external cloud service tied to authenticated sessions and can drive follow-on operations against uploaded media.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal