ClawHub

Ai Video Editor Kya Hai

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that sends selected media and editing prompts to NemoVideo, with no evidence of hidden local code or unrelated access.

Install only if you are comfortable sending chosen videos, audio/images if used, URLs, and editing prompts to NemoVideo's cloud service. Avoid confidential, regulated, or highly personal footage unless you trust the provider's data handling, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill’s public framing says users upload raw video files, but the documented API flow allows arbitrary remote URL ingestion and many non-video/media formats. That expands the trust boundary significantly and can enable server-side fetching of attacker-controlled URLs, unintended data ingestion, and user deception about what content may be transmitted to the backend.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Routing 'Everything else' to the SSE action makes the skill’s activation boundary ambiguous and can cause unrelated user input to be sent to the external backend. In this skill, that matters because SSE messages are forwarded to a cloud service tied to a persistent session, increasing the chance of overcollection, unintended actions, or surprising data disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description encourages users to upload videos but does not clearly warn that those files are sent to a third-party cloud backend for processing and export. This undermines informed consent for potentially sensitive media and is more serious here because videos often contain faces, voices, locations, and other personal data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal