ClawHub

Video Editor Kaise

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should understand that media, prompts, and account/session details go to a third-party backend.

Install only if you are comfortable sending videos, audio, images, edit prompts, and related metadata to nemovideo.ai for processing. Use your own NEMO_TOKEN if you want clearer account control, and avoid uploading private or sensitive media unless you trust that service's handling of it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill presents itself as a simple video editor, but its instructions also include acquiring anonymous auth tokens, creating backend sessions, and handling credits/subscription state. This hidden account and token-management behavior expands the trust boundary and can surprise users or host agents, especially if they did not expect automated registration-like flows or use of free-credit mechanisms on a third-party service.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Routing 'everything else' to the editing action is overly broad and can cause unrelated user prompts to be sent to the remote backend. That increases the chance of unintended data disclosure, accidental actioning of ambiguous requests, and misuse of the skill outside its declared purpose.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill processes uploaded media on remote GPU nodes, but the description does not prominently warn users that their files are transmitted to third-party servers. For potentially sensitive personal videos, this lack of upfront disclosure undermines informed consent and can lead to privacy and compliance issues.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal