ClawHub

Ai Video Editor In Capcut

Security checks across malware telemetry and agentic risk

Overview

This looks like a real cloud video-editing skill, but users should review it because it automatically contacts NemoVideo and can send private media to a third-party service under CapCut-themed branding.

Install only if you are comfortable with your videos, audio, prompts, and rendered outputs being processed by NemoVideo rather than assuming this is an official CapCut-local workflow. Avoid sensitive or regulated footage, consider using a dedicated low-privilege NEMO_TOKEN, and expect the skill to create a remote session automatically when first used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The routing table sends essentially all unmatched prompts to the SSE editing workflow, which can cause unintended external processing or action execution for ambiguous user input. In a skill that automatically connects to a remote API and can upload/process user media, this broad fallback increases the chance of over-collection, accidental network transmission, and surprising behavior without explicit user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to automatically connect to an external API and generate/use authentication tokens before doing anything else, but it does not require a clear disclosure or consent step about network access and data transmission. This is dangerous because users may unknowingly initiate third-party communication and session creation simply by interacting with the skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages users to drop raw video clips into chat while only later mentioning cloud GPU processing, without a strong upfront warning that uploaded media will be sent to third-party cloud infrastructure. Because video files often contain sensitive visual, audio, location, or personal information, insufficient disclosure materially raises privacy and confidentiality risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal