ClawHub

Ai Video Pro Online

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill, but users should know their videos and prompts are sent to NemoVideo's remote service.

Install this only if you are comfortable sending video files, prompts, and editing state to NemoVideo's cloud backend. Avoid confidential or sensitive footage unless you trust that service's privacy and retention practices, and prefer using your own NEMO_TOKEN rather than relying on anonymous token creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The getting-started examples and startup phrasing are broad enough that ordinary conversation such as discussing video editing ideas could unintentionally invoke the skill. Unintended activation can cause users to upload media or initiate remote processing without clear, deliberate consent, which is especially concerning because the skill sends content to a cloud backend.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table contains a catch-all rule that sends "Everything else" to the SSE editing action, which makes invocation overly permissive. This increases the chance that unrelated user text is forwarded to the remote backend, potentially exposing sensitive content and causing unintended actions or credit consumption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Although later sections mention server-side rendering, the user-facing description and initial workflow do not prominently warn that uploaded videos and editing instructions are transmitted to a remote cloud service. Users may reasonably assume local or proxied processing, so the omission weakens informed consent around potentially sensitive media and prompts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal