ClawHub

Editor Modi

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that is mostly coherent and disclosed, but users should understand it uses NemoVideo tokens, sessions, credits, and cloud uploads.

Install only if you are comfortable sending selected videos, prompts, and media URLs to NemoVideo for cloud processing. Use a dedicated NEMO_TOKEN if possible, monitor credit usage, and avoid sensitive or regulated footage unless you trust the provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to automatically obtain anonymous tokens, create backend sessions, and manage credits before serving the user. That expands behavior beyond simple local video-editing assistance into autonomous account/session handling against a third-party service, which can cause unconsented service use, quota consumption, and hidden authenticated actions.

Context-Inappropriate Capability

Low
Confidence
85% confidence
Finding
The skill derives and transmits attribution headers including platform/install-path-derived metadata unrelated to the core editing function. This creates unnecessary environment fingerprinting and leaks contextual host information to the remote backend, increasing privacy risk without clear user benefit.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The routing rule sends essentially all non-listed prompts to the editing workflow, creating an overly broad trigger surface. This can cause unrelated user requests or ambiguous input to be forwarded into remote processing, increasing the chance of unintended actions, data transfer, or backend calls without clear user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs automatic upload of user video to a remote backend but does not require a clear user-facing warning at the point of transfer. Because video files can contain sensitive visual, audio, or metadata content, silent cloud upload meaningfully increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes using an environment token or acquiring anonymous credentials and then using them for backend operations without requiring user-visible disclosure. Hidden use of credentials and sessions can mask who is being authenticated, consume quotas, and create confusion about what identity or account is acting on the user's behalf.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal