ClawHub

Korean Editor Ai

Security checks across malware telemetry and agentic risk

Overview

This cloud video-editing skill’s uploads, token use, sessions, and exports fit its stated purpose, but users should treat uploaded footage as shared with an external service.

Install only if you are comfortable sending video files, edit prompts, and a NemoVideo token or anonymous session token to the cloud video backend. Avoid confidential, personal, unreleased, or legally restricted footage unless you trust that provider’s privacy, retention, and access controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger examples are broad and generic enough that the skill may activate on common phrases like 'export 1080p MP4' without clear user intent to use this specific cloud video-editing service. In context, unintended invocation is more dangerous because the skill performs automatic setup and may obtain tokens, create sessions, and route user media to a third-party backend before the user fully understands that cloud processing is occurring.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The routing rule sends 'Everything else' to the SSE editing action, which is an ambiguous catch-all that can capture unrelated or insufficiently specific user input. Because the SSE path forwards user text to a remote service and may mutate session state, this increases the risk of unintended external data disclosure and unintended actions in an active editing session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill prominently encourages users to share raw footage and begins automatic setup with a cloud processing API, but it does not clearly warn that media and instructions are sent to an external service. In this context, that omission is significant because users may upload sensitive personal or unpublished video content without informed consent about third-party processing and retention implications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal