ClawHub

Editor Ai Linkedin

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that largely does what it says, but users should understand their media and prompts are sent to an external video service.

Install only if you are comfortable sending video files, any supported media you upload, edit instructions, and session metadata to mega-api-prod.nemovideo.ai for cloud processing. Avoid confidential client footage or sensitive personal recordings unless you trust that service's privacy, retention, and account practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The documented supported formats and workflow expand beyond the stated LinkedIn video-editing purpose into generic media ingestion, including images and audio. This broadens the skill's data-handling surface and can enable unexpected processing of unrelated user files, increasing privacy and misuse risk beyond what users may reasonably expect from the skill description.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to inspect local install paths and configuration locations to derive attribution headers and platform metadata, which is not necessary for editing a video. Accessing local filesystem paths for this purpose creates unnecessary host-environment discovery and may expose contextual system information to a remote service.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The phrase 'tell me what you're thinking' is overly broad for a specialized video-editing skill and can cause the skill to activate on unrelated conversation. Overbroad activation increases the chance that unrelated user input, including sensitive text, is routed into this skill's remote session setup and processing flow.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger examples are generic and action-oriented without requiring clear mention of LinkedIn video editing or media context. This makes accidental invocation more likely, which is especially risky because the skill immediately connects to external APIs and may initiate token/session creation before the user has clearly consented to remote processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends user media to a third-party remote processing service, but the description does not prominently warn users before upload or first use. Because raw video often contains biometric, workplace, location, or other sensitive information, insufficient disclosure undermines informed consent and increases privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal