ClawHub

Video Editing With Macbook Pro

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose remote uploads and token use are purpose-aligned, but users should understand their media is sent to NemoVideo for processing.

Install only if you are comfortable sending selected videos, audio, images, URLs, and edit prompts to NemoVideo's cloud service. Use a dedicated NEMO_TOKEN when possible, watch credit usage, and avoid confidential or personal footage unless the provider's privacy and retention terms are acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation text is broad enough that ordinary user requests could activate this skill unexpectedly, causing users to be routed into a remote video-processing workflow they did not clearly intend. In this skill's context, accidental activation matters because it can lead to token creation, backend session establishment, and possible upload of user media to a third-party service.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The catch-all routing rule sends 'everything else' into the SSE editing path without clear boundaries, which can over-collect user prompts and initiate backend processing for ambiguous requests. Because this skill connects to an external API and may process uploaded files, ambiguous routing increases the risk of unintended data transfer and unauthorized action on user content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to connect to a remote backend and handle user video uploads without an explicit user-facing notice that files and prompts will be transmitted to a third-party service. In a media-editing skill, uploaded footage can contain sensitive personal, workplace, or proprietary content, so silent transfer materially increases privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal