ClawHub

Clip Assistant

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real cloud video-editing skill, but it can route broad or ambiguous requests to a third-party backend without clear upfront privacy consent.

Review before installing. Use it only if you are comfortable sending videos, prompts, and editing metadata to NemoVideo's cloud service, and avoid private, confidential, client, or interview footage unless the publisher documents retention, sharing, deletion, and consent controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation examples are short, generic phrases like "edit my video clips" and "export 1080p MP4," which can plausibly overlap with ordinary user requests in broader chat contexts. That increases the chance of accidental skill activation and unintended routing into a workflow that performs networked video-processing actions and token/session setup.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table sends "Everything else" to the SSE editing path, creating an extremely broad catch-all trigger that can capture unrelated or ambiguous user input. In this skill, that default path can initiate cloud-side editing logic and backend communication, so misrouting could cause unintended processing of user content or external requests.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to connect to a cloud backend, obtain tokens, create sessions, and upload/process user video, but it does not prominently warn users that their media and related metadata will be transmitted to a third-party service. Because interview recordings may contain sensitive personal or confidential information, lack of clear disclosure meaningfully increases privacy and consent risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal