ClawHub

Video Ai Easy

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill that sends supplied videos and editing prompts to Nemo Video's API, with no evidence of hidden local execution or unrelated data access.

Install only if you are comfortable sending the videos you provide, editing prompts, and related session/render metadata to Nemo Video's remote service. Avoid sensitive footage unless you trust that provider's privacy and retention practices, and use a limited or anonymous token where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing rule sends essentially all non-explicit prompts to this skill, which can cause the agent to capture unrelated user requests and initiate remote API activity unexpectedly. In a skill that uploads media and acquires tokens automatically, overbroad matching increases the chance of unintended data transfer, confused-deputy behavior, and user actions being executed against the wrong backend.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages users to drop raw video footage into chat and automatically connects to a third-party processing API, but it does not clearly warn that uploaded media is sent to a remote cloud service. Because videos often contain sensitive visual, audio, location, or biometric data, missing disclosure undermines informed consent and can lead to privacy and compliance issues when users believe processing is local or opaque.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal