ClawHub

Video Maker 4k

Security checks across malware telemetry and agentic risk

Overview

This video-editing skill uses a remote cloud service as expected, but it materially overpromises 4K output while its own pipeline says exports are limited to 1080x1920.

Review before installing. Only use it with footage you are comfortable sending to NemoVideo's cloud backend, protect NEMO_TOKEN as a secret, and verify the actual export resolution and any retention/privacy terms before using it for private, client, or high-value media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill markets 4K export but later documents a render pipeline capped at 1080x1920, creating a material mismatch between promised capability and actual processing. While not a classic code-execution flaw, this is a trust and integrity issue that can mislead users into uploading large media to a remote service under false assumptions about output quality and handling.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The catch-all routing rule sends essentially any unmatched request into this skill, which can cause over-activation and unintended handling of user prompts or files. In an agent ecosystem, broad interception increases the chance that unrelated sensitive user input is forwarded to this remote backend without clear user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill does not prominently warn users up front that their media, prompts, and session state are sent to a third-party remote backend for processing. This weakens informed consent and raises privacy risk, especially because users may upload personal or sensitive video content believing processing is more local or opaque than it is.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal