ClawHub

Video Editing With 4k

Security checks across malware telemetry and agentic risk

Overview

This cloud video-editing skill is mostly coherent, but it overstates 4K export capability and gives broad, early authority to create remote sessions and send media/prompts to a third-party service.

Install only if you are comfortable sending video, images, audio, prompts, and project state to the nemovideo.ai cloud API. Avoid sensitive or proprietary footage unless you have checked the service's privacy and retention terms, and expect possible output limits around 1080x1920 despite the skill's 4K wording.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill markets itself as handling and exporting 4K video, but the documented render pipeline states compression is limited to up to 1080x1920. This is a material mismatch that can mislead users into uploading large, potentially sensitive media under false assumptions about output quality and service capability.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation examples are very generic and can match ordinary conversation, increasing the chance the skill activates when the user did not intend to invoke a cloud video-editing workflow. Because this skill uploads media and creates remote sessions, accidental activation can cause unintended data transfer to third-party services.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The catch-all routing rule sends 'everything else' to the SSE editing action without strong scope limits or exclusions. In a skill that talks to external APIs and interprets broad editing intents, this can route unrelated user text into remote processing and trigger unexpected actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The description does not clearly disclose that uploaded video, images, and audio are transmitted to external cloud APIs for processing. Since users may share raw footage that contains sensitive personal, commercial, or unpublished material, the lack of upfront disclosure creates a significant privacy and consent risk.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The setup flow silently generates a client UUID, requests an anonymous token, and creates a remote session, but the description does not warn users that identifiers and session metadata are sent off-device. While less severe than media upload, this still has privacy implications and reduces informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal