ClawHub

Video Clip Maker Online

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should know their videos and prompts are sent to nemovideo.ai.

Install only if you are comfortable sending video files, edit prompts, and session metadata to nemovideo.ai. Use a dedicated NEMO_TOKEN or the anonymous token flow, avoid uploading sensitive footage unless you trust the service's data handling, and confirm intended uploads/exports when prompts are ambiguous.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill’s invocation examples and routing rules are broad enough that ordinary conversation like 'export', 'upload', or vague editing requests could trigger setup, authentication, or remote actions without strong user intent confirmation. In a skill that uploads media and communicates with a third-party API, accidental activation increases the chance of unintended data transfer and side effects such as session creation, token generation, or cloud processing of user content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs users to share raw video footage and describes cloud rendering, but it does not clearly warn up front that videos, prompts, and session metadata are sent to a third-party processing API. Because video footage may contain sensitive personal, biometric, location, or copyrighted content, insufficient disclosure undermines informed consent and can lead to unintended privacy and compliance exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal