ClawHub

Llm For Video Editing

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video editor that openly uses NemoVideo APIs for user-provided media, with privacy considerations but no hidden install code or unrelated local access.

Install only if you are comfortable sending the videos, audio, images, and edit prompts you provide to NemoVideo's cloud service. Avoid confidential interviews, private business footage, or sensitive personal content unless you have reviewed the provider's privacy and retention terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill advertises very broad trigger phrases like sharing footage or describing what the user is thinking, and the routing table falls back to treating nearly everything else as an editing command. This can cause unintended activation and transmission of user content to the cloud backend when the user did not clearly consent to invoking this skill, especially in a multi-skill or ambient prompt-routing environment.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Telling users to begin with open-ended language makes the activation boundary ambiguous. In practice, this increases the chance that normal conversation gets interpreted as a command to start cloud-backed video processing or setup, which can expose files, metadata, or tokens through unintended workflow execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to share raw video footage and states that processing occurs on a cloud backend, but it does not present a clear, prominent privacy warning before upload or explain what data leaves the local environment. Raw videos often contain sensitive biometric, location, workplace, or personal conversation data, so silent or poorly disclosed cloud transmission creates meaningful privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal