ClawHub

Fast Video Editing With

Security checks across malware telemetry and agentic risk

Overview

This looks like a real cloud video-editing skill, but it can automatically connect to NemoVideo and route broad editing requests to a third-party service without a clear consent step.

Review before installing. Use it only if you are comfortable with video files, prompts, session metadata, and token-based access being sent to NemoVideo's cloud service. Prefer non-sensitive clips, avoid private or regulated footage, and confirm any upload/export action deliberately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The example invocations are short, generic phrases like "export 1080p MP4" and "edit my raw video clips," which are common utterances that may appear in unrelated contexts. This increases the chance the skill activates unintentionally and causes user content to be routed to this external video-processing backend without sufficiently explicit intent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing table includes an "Everything else" fallback to SSE for generation and editing requests, creating an unconstrained catch-all path. In a skill that sends user prompts and potentially uploaded media to a cloud backend, this broad routing can mis-handle ambiguous requests and trigger remote actions without clear user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description emphasizes convenience and speed but does not clearly warn users that uploaded videos and related editing instructions are transmitted to a third-party cloud service. Because media files can contain sensitive or proprietary content, the lack of upfront disclosure materially weakens informed consent and increases privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal