ClawHub

Video Maker Editor Free Download

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that sends selected media and editing instructions to nemovideo.ai, with no executable installer code found.

Install only if you are comfortable sending the media files and edit prompts you provide to nemovideo.ai for cloud processing. Use a dedicated NEMO_TOKEN if available, avoid sensitive media unless you trust the provider's privacy practices, and watch for credit, registration, or upgrade requirements before exporting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing rule sends 'Everything else' to the SSE backend, which is an overly broad catch-all activation path. This can cause unrelated or ambiguous user prompts to be forwarded to an external service, increasing the risk of unintended data disclosure, surprise network activity, and skill execution outside the user's clear intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes cloud processing but does not clearly warn users up front that uploaded media and editing instructions are transmitted to a third-party remote service. For user-provided videos, this is sensitive content, and lack of prominent disclosure undermines informed consent and can expose private media unexpectedly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions explicitly tell the agent to hide technical details while performing authentication, session creation, and network calls, including minting anonymous tokens when no credential is present. Concealing backend authentication and remote actions prevents informed user consent and can result in undisclosed account creation, token acquisition, and transmission of user data to external infrastructure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal