ClawHub

Video Editor Eddie

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill, but users should expect their media, prompts, and NemoVideo token/session data to be sent to the provider API.

Install only if you are comfortable sending selected video, image, audio files, and edit prompts to NemoVideo's cloud service. Use it when you intentionally want video-editing work, avoid private recordings unless you accept that processing, and protect any NEMO_TOKEN because it may control sessions or credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation examples are broad and generic enough that normal user requests like 'export 1080p MP4' or 'edit my raw video footage' could unintentionally trigger this skill. Because the skill then performs automatic setup and connects to a third-party API before doing anything else, accidental activation can cause unintended network access and media-processing actions.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The routing table contains a catch-all rule ('Everything else') that maps essentially any remaining prompt to the SSE editing action. In practice, this can over-match ordinary conversation and send arbitrary user text to the remote backend, increasing the risk of unintended data disclosure, unwanted API calls, and surprise actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The user-facing description encourages uploading raw footage and describing edits, but it does not clearly disclose that both media and prompts are sent to a cloud processing API operated at an external domain. This undermines informed consent and can expose sensitive screen recordings, audio, or embedded personal data to third-party infrastructure without adequate warning.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal