ClawHub

Video Maker With Effects Free

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing instruction skill with real privacy considerations, but its network use, token handling, uploads, and rendering behavior are coherent with the stated purpose and disclosed in the artifact.

Install only if you are comfortable sending videos, audio, images, prompts, session metadata, and any provided media URLs to NemoVideo cloud services. Avoid sensitive personal or confidential media, use only trusted URLs you are authorized to process, and check NemoVideo’s retention and privacy terms if data handling matters for your use case.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill markets itself as a simple video upload/edit tool, but the documented upload flow also accepts arbitrary URLs and a much broader set of asset types than the manifest suggests. This expands the data-ingestion surface without clear user disclosure or constraints, increasing the risk of unexpected remote fetching, privacy issues, and misuse of the agent to retrieve third-party content.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Allowing arbitrary URL ingestion is a meaningful capability increase beyond local file upload because it lets the skill cause backend fetches from attacker-controlled locations. Even if the fetch occurs server-side, this can enable abuse such as pulling unexpected content, processing unreviewed third-party assets, or creating a hidden data-transfer path not obvious from the skill's stated purpose.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation examples are broad and generic, such as 'edit my video clips' and 'export 1080p MP4,' which could match many benign conversations and trigger this skill unexpectedly. Overly vague invocation scope increases the chance that users send files or editing requests to this cloud-connected skill without realizing which backend is being engaged.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing rule sends 'everything else' related to generation or editing into the SSE workflow, creating a catch-all pathway with few stated limits. This makes the skill easier to activate accidentally and harder for users or the host platform to reason about, especially because the action includes session creation and remote processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description does not clearly warn users that uploaded videos are transmitted to a third-party cloud rendering backend. For a media-processing tool handling potentially sensitive personal content, this omission undermines informed consent and increases privacy risk because users may believe processing is local or limited to the agent environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal