ClawHub

Best Video Editing App

Security checks across malware telemetry and agentic risk

Overview

This appears to be a cloud video-editing skill, but users may not get clear enough notice before their media and prompts are sent to a remote backend.

Review this carefully before installing. Use it only if you are comfortable sending selected videos, audio, edit prompts, and metadata to Nemo's cloud service, and require explicit confirmation before any session creation or upload. Avoid private, confidential, biometric, location-sensitive, or client media unless the service's retention and privacy terms are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases and fallback behavior are broad enough that ordinary user conversation could unintentionally activate the skill and initiate backend interaction. In this skill, unintended activation is more concerning because activation can lead to remote API calls, token acquisition, session creation, and eventual transfer of user media or editing prompts to a third-party service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages users to share raw video clips and instructions but does not clearly disclose up front that those files and prompts are transmitted to a remote backend for processing. Because uploaded media may contain sensitive visual, audio, location, or biometric information, lack of explicit disclosure undermines informed consent and can cause inadvertent data exposure to a third party.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
Hard-coding `"language":"en"` removes user choice and may cause user prompts or generated outputs to be processed under the wrong language setting. While not as severe as direct data exfiltration, it can lead to misinterpretation of user intent, degraded output quality, and privacy or compliance issues where language preference and transparency matter.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal