ClawHub

Video Editing Apps

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should understand that selected media and editing prompts may be sent to NemoVideo for processing.

Install only if you are comfortable sending selected media files, editing instructions, and related job metadata to NemoVideo’s cloud service. Use a dedicated token where possible, monitor credit usage, and avoid uploading confidential media unless you trust the provider’s privacy, retention, and deletion practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The onboarding language is broad enough that ordinary user phrases like 'export 1080p MP4' or 'edit my raw video clips' can trigger the skill before the user has clearly consented to backend connection and remote media handling. In this skill’s context, that increases the risk of unintended activation, token acquisition, and upload workflow initiation for a service that processes user media on third-party infrastructure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill directs users to send raw video clips to a remote backend but does not present a clear, prominent privacy warning at the point of use that media will leave the local environment and be processed server-side. Because uploaded videos may contain sensitive visual, audio, location, or personal data, insufficient disclosure can lead to uninformed consent and accidental exposure of private content.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
Hard-coding the session language to English without user choice can cause the backend to misinterpret non-English instructions, metadata, or content, potentially leading to incorrect edits or misleading output. In a media-processing skill this is primarily a reliability and user-safety issue rather than a direct security compromise, but it can still cause unintended actions and poor transparency for multilingual users.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal