ClawHub

Clip Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-editing helper, but users should know their media and editing prompts are sent to Nemo Video's remote service.

Install only if you are comfortable sending selected videos, media URLs, and editing instructions to mega-api-prod.nemovideo.ai. Avoid confidential or sensitive footage unless you trust that provider, keep NEMO_TOKEN private, and ask the agent to confirm before uploads or exports when privacy, credits, or plan limits matter.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill’s example prompts and onboarding language are broad enough to match generic video-editing requests, which can cause the agent to invoke this skill unexpectedly. Because the skill automatically connects to a cloud backend and may upload user media, accidental invocation can lead to unintended external data transmission and surprising actions without clear user intent.

Vague Triggers

High
Confidence
94% confidence
Finding
The routing rule that sends 'Everything else' to the SSE editing path is overly permissive and effectively makes the skill a catch-all for many unrelated or ambiguous prompts. In this skill’s context, that is risky because the SSE path can drive remote editing operations against a live cloud session, increasing the chance of unintended processing, external API calls, and user data being acted on without sufficiently specific consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that it connects to a cloud processing backend and performs server-side rendering, but it does not present a prominent, explicit privacy warning before user media is transmitted off-device. Since videos may contain sensitive personal, biometric, location, or confidential business information, failing to clearly disclose remote upload and processing can undermine informed consent and create privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal