ClawHub

Video Editing With Openclaw

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose network use is disclosed and aligned with its purpose, though users should be careful with sensitive videos.

Install only if you are comfortable sending videos, audio, filenames or URLs, and editing instructions to nemovideo.ai. Start with non-sensitive clips, watch credit usage, and confirm before uploading, editing, or exporting private, client, screen-recording, face, or location-revealing media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example invocations are very generic phrases like "export 1080p MP4" and "edit my raw video footage," which can overlap with ordinary user requests outside an explicit intent to invoke this skill. In an agent ecosystem with automatic routing, such broad triggers can cause unintended activation and result in files being sent to the remote video-processing backend without sufficiently deliberate user choice.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table sends "Everything else" to the SSE editing action, creating a catch-all activation path for nearly any unmatched prompt. This is dangerous because ambiguous or unrelated user text could be interpreted as an edit command, leading to unintended backend actions, session creation, or processing of user media on an external service.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The user-facing description emphasizes convenience but does not clearly foreground that uploaded videos are transmitted to a third-party cloud backend for processing. Because the skill handles potentially sensitive media, insufficient disclosure undermines informed consent and increases privacy risk if users assume processing is local or agent-internal.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal