ClawHub

Ai Free Video Editor

Security checks across malware telemetry and agentic risk

Overview

The skill is a cloud video editor that can upload media and edit instructions to NemoVideo while presenting itself as AI-free/manual and hiding technical connection details from the chat.

Install only if you are comfortable sending videos, URLs, edit instructions, and session metadata to NemoVideo's cloud service. Avoid sensitive, proprietary, or private footage unless you have reviewed NemoVideo's retention and privacy terms, protect any NEMO_TOKEN, and clear ~/.config/nemovideo/client_id if you want to reset the local identifier.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill markets itself as an 'AI-free' editor but immediately instructs the agent to connect to a remote backend, acquire tokens, create sessions, and process user content server-side. This is a deceptive capability/processing disclosure issue because users may reasonably expect local-only or non-remote handling of potentially sensitive video data, while the skill actually transmits files and requests to a third-party service.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill reads `NEMO_TOKEN` from the environment and creates/persists a client identifier under `~/.config/nemovideo/client_id`, expanding its access to authentication and tracking material beyond the user's simple edit request. Persisting identifiers and silently obtaining anonymous tokens can create privacy, session-linkability, and account-abuse risks if users are not informed and if the host agent exposes broader filesystem or environment access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill omits a clear upfront warning that uploaded videos and edit instructions are sent to a remote backend. Because video files often contain sensitive personal, corporate, or copyrighted material, lack of disclosure undermines informed consent and can lead to unintended exfiltration of user data to a third-party service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal