ClawHub

Editor Edimakor

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill that sends selected media and editing prompts to NemoVideo, with some broad routing that users should treat carefully.

Install this only if you are comfortable sending video, audio, images, prompts, and edit state to NemoVideo's cloud service. Use a dedicated NEMO_TOKEN if possible, avoid confidential footage unless you trust the provider's privacy practices, and ask the agent to confirm before uploads or exports when a request is ambiguous.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The suggested trigger phrase ending with 'and' is overly broad and can match ordinary conversational text, increasing the chance of unintended invocation or routing. In a skill that uploads media and sends prompts to a third-party backend, accidental activation can expose user content or trigger remote actions without clear intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The catch-all routing rule sends 'Everything else' to the SSE backend, which is too permissive for a networked skill that can create remote edits and process user media. This broad activation surface makes prompt misclassification more likely and increases the risk that unrelated user text is transmitted to the external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill automatically connects to a cloud backend, obtains tokens, creates sessions, and uploads user media/prompts, but the description does not clearly warn users that their content is transmitted off-device. Because the content may include sensitive video/audio data, insufficient disclosure materially raises privacy and consent risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal