ClawHub

Video Editing Ai Local

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-editing integration that repeatedly advertises local, no-upload privacy while instructing agents to create NemoVideo cloud sessions and upload media for processing.

Review carefully before installing. Use this only if you are comfortable sending your media, prompts, and editing state to NemoVideo’s cloud API, and do not rely on the local/no-upload privacy claims. Avoid confidential, regulated, or sensitive footage unless the provider’s data handling and retention terms are acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill markets itself as 'local' and privacy-conscious while explicitly instructing the agent to obtain tokens, create remote sessions, upload user media to external endpoints, and render on cloud GPUs. This mismatch can mislead users into sharing sensitive video content under false privacy expectations, creating a real confidentiality and informed-consent risk.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation simultaneously claims local AI editing and says processing occurs on cloud GPUs, which is a material contradiction about where user data is handled. Users and downstream agents may rely on the safer-sounding local claim, causing improper disclosure of sensitive footage to a remote service.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation language is broad enough that ordinary video-editing requests may trigger this skill without users realizing it will contact a third-party service. In the context of misleading privacy claims, over-broad activation increases the chance that sensitive media is routed to remote APIs without clear, informed user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using an 'Everything else' bucket to route requests to SSE editing creates an overbroad catch-all that can absorb ambiguous prompts and initiate remote processing logic too readily. Because the skill handles user media and remote sessions, this loose routing meaningfully raises the risk of unintended data transfer or action execution.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The description emphasizes local/privacy-conscious use while omitting that user videos, metadata, and session information are sent to remote NemoVideo APIs. This can cause users to disclose sensitive footage, audio, or embedded personal data under false assumptions about where processing occurs and who can access it.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal