ClawHub

Free Video Cutter Online

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real cloud video tool, but it needs review because it uploads media to NemoVideo and supports broader editing than its video-cutter description suggests.

Install only if you are comfortable sending videos, prompts, and related metadata to NemoVideo's cloud service. Treat it as a broader cloud video-editing integration, not just a local cutter, and avoid confidential or highly private footage unless you trust the service's retention and privacy practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill is presented as a narrow video cutter, but its routing explicitly sends all other editing or generation requests to a general SSE backend. That creates a scope mismatch: users and host platforms may grant trust, permissions, or invocation based on a limited-purpose description while the skill actually exposes a much broader remote capability surface.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill advertises support for a small set of video formats, but the backend documentation lists many additional media import/export types including images and audio. This discrepancy can mislead users and reviewers about what data types may be uploaded or produced, increasing the chance of unintended data handling and policy bypass.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill claims to only trim and cut videos, yet later guidance encourages broader editing such as adding background music. This hidden expansion of functionality increases the effective attack surface and can lead users to disclose or process more content than they expected under a seemingly simple utility.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The example triggers are broad and generic, making accidental or context-inappropriate invocation more likely. In agent environments, vague triggers can cause media uploads or backend actions to occur when the user did not clearly intend to use this specific remote processing skill.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing table includes an 'Everything else' catch-all that forwards broad requests to SSE. Catch-all dispatch in a skill advertised as a narrow utility can capture unrelated user intents and send them to a remote service, creating both overreach and unbounded behavior beyond the reviewed feature set.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill relies on a cloud backend for upload, processing, session state, and export, but it does not prominently warn users that their media and associated metadata are sent to a remote third-party service. This is a real privacy and consent issue, especially for personal videos that may contain sensitive content, location data, or biometric information.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal