ClawHub

Ai Video Editor Name

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should remember that uploaded videos are sent to a third-party rendering service.

Install only if you are comfortable sending uploaded footage to NemoVideo’s remote service. Avoid private, regulated, confidential, or screen-recorded material unless you have checked the service’s privacy and retention terms, and use a dedicated NemoVideo token rather than any unrelated credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly directs users to upload raw video footage to a third-party backend and states that rendering happens server-side, but it does not clearly surface a privacy/security warning at the point of use about external transmission, retention, or handling of potentially sensitive media. Because uploaded videos can contain faces, voices, screens, documents, or other sensitive content, silent off-device transfer creates a meaningful privacy and data-governance risk.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
The skill hardcodes session creation with `language":"en"` before handling user requests, which overrides user preference and can cause prompts, metadata, or generated content to be processed under the wrong language context. This is primarily a trust, usability, and potential privacy/compliance issue rather than a direct security exploit, but it can lead to misinterpretation of user instructions and inaccurate processing for non-English users.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal