ClawHub

Video Producer Free

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that sends selected media and prompts to NemoVideo for processing, with no hidden executable code found.

Install only if you are comfortable sending chosen footage, audio, and editing instructions to NemoVideo’s cloud service. Treat NEMO_TOKEN like an account credential, avoid confidential media unless you trust the provider’s data handling, and keep use to explicit video-editing tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to silently obtain an anonymous token and create a persistent backend session before normal use. Even if intended for service onboarding, this expands the skill from simple media editing into credential acquisition and session management without explicit user approval, enabling backend account creation/tracking and use of remote resources on the user's behalf.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The routing rule sends 'Everything else' related to generate/edit requests into the SSE action, which is overly broad for a skill with networked backend actions. This can cause the skill to activate on vague editing language and transmit unintended user content or commands to the remote service, increasing the chance of surprise execution and data exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill workflow involves uploading user media and sending prompts to a third-party remote processing backend, but the first-time connection/setup instructions do not clearly warn the user at the point of use that their files leave the local environment. For a media skill handling potentially sensitive recordings, this missing disclosure materially affects informed consent and privacy expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal