ClawHub

Editor Ai Simple

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill that uploads media and prompts to a remote editing service, with privacy considerations but no artifact-backed malicious behavior.

Install only if you are comfortable sending video files, URLs, editing prompts, and service metadata to NemoVideo's cloud API. Avoid private, regulated, or confidential footage unless you trust that provider's privacy, retention, and deletion practices, and treat NEMO_TOKEN as a credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
The skill instructs the agent to derive platform/install-path attribution and send it on every request, even though cloud video editing does not require local install-path disclosure. This creates unnecessary metadata leakage that can be used for fingerprinting users or environments and expands data collection beyond what is needed for the advertised function.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Routing essentially all unmatched prompts to this skill creates an over-broad activation surface, increasing the chance that unrelated user input is sent to the remote backend. In this context, the danger is amplified because the skill is cloud-connected and may transmit user text or media off-device without sufficiently specific intent to use the editor.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill description encourages users to drop raw footage into chat but does not prominently warn that uploaded media will be sent to a cloud processing backend. This can cause users to unknowingly transmit sensitive or private video content off-device, which is a meaningful privacy and data-handling risk in a media-processing skill.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The anonymous-token flow generates and sends a client identifier to the remote service, but the skill does not clearly disclose this behavior to the user. While the identifier is not obviously highly sensitive on its own, undisclosed device/client fingerprinting metadata creates privacy risk and undermines informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal