ClawHub

Video Editor Remastered

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-remastering skill, but users should know it creates a remote session and sends prompts and uploaded media to nemovideo.ai.

Install only if you are comfortable sending video files, prompts, and render state to mega-api-prod.nemovideo.ai. Avoid sensitive personal, workplace, or confidential footage unless you have reviewed the service’s privacy and retention terms. Test with a short non-sensitive clip first, and use a dedicated NEMO_TOKEN if possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Low
Confidence
71% confidence
Finding
The skill instructs deriving `X-Skill-Platform` from local installation paths and references local config paths, which requires inspecting local filesystem context unrelated to core video remastering. Even if only used for attribution headers, collecting local path/platform metadata increases unnecessary host information exposure to a third-party service and weakens data minimization.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invitation text is broad enough that normal conversation about videos could activate the skill and lead users into upload or remote-processing flows without clear intent. In this context, accidental triggering matters because the skill performs network authentication and encourages sending potentially sensitive media to an external backend.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The catch-all routing rule sends 'everything else' into the SSE editing path, creating an overly broad trigger surface for remote backend interaction. This raises the chance of unintended transmission of user text to the service and makes the skill easier to invoke outside the user's clear expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description emphasizes convenience and server-side rendering but does not clearly warn users that uploaded videos are sent to a remote third-party service. Because videos may contain sensitive personal, workplace, or location data, missing disclosure undermines informed consent and can expose users to privacy risk.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The skill directs automatic backend connection and token acquisition on first open without a meaningful user warning or consent step. Automatically performing network authentication and session creation can disclose metadata and establish third-party state before the user has affirmatively chosen to use the service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal