ClawHub

Video Clip Maker Youtube

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a cloud video/text generation helper, but it under-discloses that it automatically authenticates and sends prompts, files, and local platform metadata to a third-party backend.

Review before installing. Use it only with media and documents you are comfortable sending to the NemoVideo backend, and expect it to create or use a token, maintain a remote session, and transmit prompts/files plus skill attribution metadata. Avoid confidential, regulated, client, or private personal content unless you trust the service's data handling terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to obtain and use an anonymous bearer token from either the environment or a remote auth endpoint, then use it for subsequent API calls. While remote processing is expected for a cloud video editor, silently minting credentials and managing authenticated sessions without clear user consent expands trust and can enable unauthorized outbound actions or billing/identity misuse against the third-party service.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill derives `X-Skill-Platform` from local install-path locations such as `~/.clawhub/` and `~/.cursor/skills/`, then sends that metadata to a remote backend. This collects and exfiltrates local environment details that are not necessary for core video clipping, creating unnecessary fingerprinting of the user's host setup.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states that rendering happens server-side, but it does not prominently warn users that uploaded media and prompt content are transmitted to a third-party backend for processing. For a media-processing skill handling potentially sensitive videos, inadequate disclosure materially increases privacy and data-handling risk.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal