ClawHub

Video Editor With Ai Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose network calls, token use, uploads, and export workflow match its stated purpose, with privacy cautions around third-party processing.

Install only if you are comfortable sending selected videos, media URLs, and editing instructions to NemoVideo's cloud service. Treat NEMO_TOKEN like a credential, avoid sensitive or regulated footage unless the provider's terms meet your needs, and use explicit video-editing prompts so unrelated conversation is not routed into the editing session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example invocation language is broad enough that ordinary user phrases like asking to 'edit' footage or 'export' a video could trigger the skill without strong intent confirmation. In a skill that uploads and processes user media on a third-party backend, accidental invocation increases the risk of unintended data transfer and user confusion about where content is being sent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing table maps generic terms like 'export', 'status', 'upload', and effectively 'everything else' to actions, which is insufficiently constrained and can cause the skill to capture unrelated conversation. Because the default path sends most other requests to the SSE backend, ambiguous routing could result in unintended remote requests, session actions, or media-processing operations based on casual language.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The user-facing description emphasizes ease of upload and editing but does not clearly warn that uploaded media is transmitted to a cloud service for processing. For a video-editing skill handling potentially sensitive recordings, this omission undermines informed consent and can expose private media, embedded metadata, or confidential screen captures to a third-party backend unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal