ClawHub

Ai Video Editor Hot

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose remote uploads and token use match its stated purpose, but users should only send media they are comfortable processing on NemoVideo servers.

Install only if you are comfortable sending selected videos, images, audio, prompts, and render state to the NemoVideo backend. Do not use confidential footage unless you trust that provider, and confirm the exact local file or URL before upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill permits server-side fetching of arbitrary URLs for video upload, which expands scope beyond user-supplied local files and can enable misuse such as fetching internal or sensitive network resources through the backend. For a video editor, URL import may be a convenience feature, but without strict allowlisting, scheme restrictions, and SSRF protections, it creates an unnecessary attack surface.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation guidance is broad enough that generic editing-related requests may route into this skill without clear user intent, causing users to upload media or trigger remote processing unexpectedly. Because the skill can create sessions, obtain tokens, and send content to a third-party backend, overbroad matching increases the chance of unintended data transfer and action execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill does send user videos and instructions to a remote backend, but the user-facing setup and description do not prominently warn about this before encouraging upload. This is risky because videos often contain sensitive personal, business, or location information, and users may reasonably assume local processing unless remote transmission is made explicit up front.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal