ClawHub

Video Trimmer Free

Security checks across malware telemetry and agentic risk

Overview

This looks like a real cloud video-editing skill, but it uploads media to a third-party backend and does more than simple trimming without clear upfront consent.

Review before installing. Treat this as a broader cloud video editor, not only a local trimmer. Install only if you are comfortable sending videos, audio, images, prompts, URLs, and project state to NemoVideo's backend, and avoid confidential or regulated media unless the provider's privacy and retention terms are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill’s manifest frames the capability as simple video trimming, but the body documents significantly broader media-editing behavior including text overlays, audio tracks, generic editing, and multi-format export. This mismatch weakens informed consent and review controls because users and platform operators may authorize a seemingly narrow skill that can process a wider range of content and actions than advertised.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises user-uploaded local video processing, but it also supports backend fetching from arbitrary URLs. Undisclosed remote-fetch capability can expose users and the platform to unexpected external resource access, privacy issues, and policy bypasses because the actual data source is broader than the manifest implies.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs users to send video files to a remote backend and highlights cloud GPU processing, but it does not provide a clear, up-front user warning about cloud transmission, third-party processing, retention, or privacy implications. Videos commonly contain sensitive personal, workplace, or location data, so silent remote upload creates a meaningful privacy and consent risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill automatically uses the NEMO_TOKEN environment variable or acquires an anonymous token without clearly telling the user that credentials or authentication state are being used on their behalf. This is dangerous because users may unknowingly authorize requests under an existing account context or misunderstand how backend access and quotas are being consumed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal