ClawHub

Editor Free Download

Security checks across malware telemetry and agentic risk

Overview

This cloud video editing skill is generally coherent, but it can automatically connect to a third-party backend and route broad user prompts or media workflows without a clear consent gate.

Review before installing. Use this only if you are comfortable with Nemovideo receiving your selected media files, edit prompts, session data, and token-backed API requests. Avoid private, regulated, or sensitive recordings unless you trust the provider, and confirm uploads, exports, and credit-consuming actions explicitly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The invocation examples are broad and generic enough that ordinary user conversation like 'export 1080p MP4' or 'edit my raw video clips' could trigger the skill unintentionally. In this skill, accidental activation is more sensitive because it can initiate backend authentication/session setup and prompt users to upload media to a third-party service, creating privacy and consent risks.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The routing table includes highly ambiguous triggers such as 'download', 'upload', 'status', and especially the catch-all 'Everything else,' which can map normal conversation into API actions without clear user intent. Because this skill can send content to remote services and perform export/state operations, overly broad routing increases the chance of unintended data processing or actions on the user's behalf.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mentions server-side rendering, but it does not give a clear, prominent warning up front that uploaded media, prompts, and session data are sent to a remote backend for processing. In a media-editing context, uploaded videos may contain sensitive recordings, voices, screens, or personal information, so lack of explicit disclosure undermines informed consent and increases privacy risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal