ClawHub

Video Editing With Korean

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-editing helper, but users should understand that videos and editing requests go to nemovideo.ai for processing.

Install only if you are comfortable sending video files, prompts, project state, and related metadata to nemovideo.ai for cloud processing. Avoid uploading sensitive footage unless you trust that provider’s privacy, retention, and account-credit practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is presented as a narrow Korean-captioning tool, but the instructions enable a broader remote video-editing and orchestration workflow, including upload, session management, state inspection, credits queries, and export operations. This scope expansion is dangerous because users and host platforms may grant trust or permissions based on the narrower description, creating a capability mismatch and reducing informed consent about what the skill actually does.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends uploaded videos, editing instructions, and session data to a third-party remote API, but the user-facing description does not clearly warn users before they share potentially sensitive media. This creates a significant privacy and transparency risk because users may unknowingly transmit personal, biometric, location, or confidential business content off-platform to an external processor.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal