ClawHub

Video Editor Software For Beginners

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that is coherent with its purpose, though users should understand that media and edit prompts go to NemoVideo’s external service.

Install only if you are comfortable sending selected videos, URLs, and edit instructions to NemoVideo’s cloud API. Avoid uploading sensitive footage unless you trust that provider’s handling practices, and use a limited-purpose token where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The routing table sends all unmatched inputs to the SSE editing action, which can cause unintended cloud-side processing for vague or unrelated prompts. In this skill, that broad catch-all increases the chance of accidental execution of remote actions and user data transmission without clear confirmation, especially because the backend performs stateful edits and uploads.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to connect to a cloud backend, create sessions, and process uploaded video, but it does not clearly warn users that their media and editing instructions are transmitted to a third-party service. For a video-editing skill handling potentially sensitive personal footage, the lack of explicit disclosure and consent materially increases privacy and data-handling risk.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill automatically reuses an environment token or fetches an anonymous token from the remote API without explicitly informing the user that a credentialed session will be established and maintained. While the instructions say not to expose tokens, silent token acquisition and session creation can still surprise users and obscure account/session implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal