ClawHub

Ai Video Editor Edimakor

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video editor that openly uses NemoVideo APIs for upload, editing, credits, and export, with some broad routing language users should notice.

Install only if you are comfortable sending your raw media files and editing instructions to the NemoVideo/Edimakor cloud service. Avoid uploading private, confidential, or rights-restricted footage unless you have reviewed the service's privacy and retention terms, and be aware that anonymous credits or a paid account may be needed for export.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example trigger phrases are broad enough to activate on ordinary conversational language such as generic requests to edit or export media. That increases the chance of unintentional skill invocation and can cause users to send video content or initiate remote processing without realizing a third-party cloud service is being used.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The routing table contains a catch-all rule that sends 'everything else' to the SSE editing action, which is effectively an ambiguous activation path for almost any free-form prompt. In a chat environment, this can cause the skill to process unrelated user text, trigger external API calls, and potentially expose user intent or content to the backend without sufficiently explicit consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes cloud processing details but does not present a clear upfront warning that uploaded media and editing instructions are transmitted to a remote third-party API. Because users may share raw footage containing sensitive or unpublished material, the lack of prominent disclosure undermines informed consent and increases privacy and data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal