ClawHub

Ai Video Editor Download Apk

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that does what it claims, but users should know their media and prompts are sent to NemoVideo for processing.

Install only if you are comfortable sending selected videos, audio, image URLs, and edit prompts to NemoVideo's cloud service. Avoid confidential, regulated, or non-consensual footage unless you have verified the provider's privacy and retention terms, and treat NEMO_TOKEN as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The routing table sends 'Everything else' to the SSE editing action, which is an overly broad trigger that can capture unrelated user input and forward it to a remote backend. In this skill, that increases the chance of unintended cloud processing, accidental data disclosure, and confusing or unsafe action selection because arbitrary text may be treated as an editing command.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to upload raw video footage to a cloud backend but does not clearly warn, up front, that user media and prompts are transmitted to a third-party remote service. Because videos often contain sensitive personal, biometric, location, or copyrighted content, the lack of conspicuous disclosure undermines informed consent and can lead to unintentional privacy exposure.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The skill notes that closing the tab can orphan render jobs, but it does not present this as a clear user-facing warning during setup or before export. This can cause users to lose access to generated results or waste session resources and credits because exports depend on an active remote session lifecycle.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal