ClawHub

What Is Ai Video

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real cloud video-editing skill, but it can route broad user messages, prompts, and media to NemoVideo with too little explicit consent.

Review before installing. Use it only for media and prompts you are comfortable sending to NemoVideo cloud services, and prefer explicit confirmation before token setup, session creation, uploads, or catch-all chat forwarding. VirusTotal was pending and is not the basis for this Review verdict.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The onboarding examples are broad and ambiguous, which can cause the skill to activate for vague prompts and start external setup/API actions before the user has clearly consented to use this specific tool. In this skill, that ambiguity is more dangerous because first interaction triggers token acquisition and session creation against a third-party video service, increasing the chance of unintended data sharing or unexpected network activity.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The catch-all routing rule sends 'everything else' to the SSE backend, meaning many unrelated or insufficiently specific user messages could be forwarded to a remote service. Because the backend receives raw user text and may drive further actions in a persistent session, this broad trigger materially raises the risk of unintended prompt exfiltration, accidental edits, and surprising third-party processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to upload clips and describes cloud rendering, but it does not prominently warn that uploaded media, prompts, and session data are transmitted to external APIs for processing. In a media tool handling potentially sensitive recordings, this omission undermines informed consent and can lead users to disclose confidential content to a third-party service without realizing it.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal