ClawHub

Easy Ai Video Editing

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose network use and media uploads fit its purpose, but users should understand that files and prompts may be sent to the provider before use.

Install only if you are comfortable sending videos, images, audio, prompts, and related metadata to NemoVideo's cloud backend. Avoid confidential or regulated footage unless you trust the provider's privacy, retention, and deletion practices, and expect the skill may create a temporary anonymous token and session automatically when NEMO_TOKEN is not configured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest and top-level description frame the skill as a video editor, but the body expands accepted inputs to images and standalone audio files. That mismatch can mislead users and host platforms about the true data-handling scope, increasing the chance that users transmit different media than they intended under incomplete consent and review assumptions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger examples are broad and generic enough that ordinary user phrases may invoke the skill unintentionally. In this skill's context, accidental activation is more risky because invocation can lead to backend session creation and possible cloud transmission of user media or requests without a clearly intentional opt-in moment.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The catch-all rule routes 'Everything else' to SSE, which creates unclear activation boundaries and can send broad user instructions to the remote backend. Because this skill uses a cloud editing service, vague routing increases the chance of overcollection, unintended external disclosure of prompts, and actions being taken when the user did not clearly request this tool.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description does not clearly warn that uploaded media and prompts are transmitted to a third-party cloud backend for processing. This is dangerous because users may share sensitive or private video/audio content under the assumption of local handling, making informed consent and data exposure controls inadequate.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal