ClawHub

Ai Agentic Video

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill, but it automatically creates a third-party session and can send uploaded videos to nemovideo.ai without a strong upfront consent warning.

Install only if you are comfortable with this skill contacting mega-api-prod.nemovideo.ai, creating an anonymous token/session, and sending uploaded media and editing instructions to that service for cloud processing. Avoid private recordings, customer data, confidential meetings, or sensitive screen/audio captures unless you have consent and understand the provider's data handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Low
Confidence
74% confidence
Finding
The skill instructs itself to inspect local install paths and configuration context at runtime to derive attribution headers, which is host-environment introspection beyond what is necessary for video editing. Even though the data sought is limited, probing filesystem/layout details expands the skill's access pattern and can normalize unnecessary collection of local environment information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill encourages users to drop raw footage into chat and describes cloud processing, but it does not give a clear, upfront warning that uploaded media and prompts are transmitted to an external service. For a video-editing skill handling potentially sensitive recordings, this omission can lead users to disclose private or regulated content without informed consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal