ClawHub

Free Video Editor Ai

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-processing integration that is only partly disclosed as such and automatically connects to a third-party service.

Review this before installing. It may send prompts, project metadata, uploaded video files, a persistent client ID, and install-platform attribution to NemoVideo's cloud API. Use it only for media you are comfortable uploading to that service, and prefer explicit confirmation before setup or upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest presents the skill as advisory editing guidance, but the body instructs the agent to authenticate to a remote service, create sessions, upload media, and perform exports. That mismatch undermines informed consent and can cause users to expose video content and metadata to a third party they did not expect to be used.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill creates or reuses a persistent client identifier in the user's home directory for a service that is described as simple editing assistance. Persistent identifiers enable cross-session tracking and account linkage, and here they are introduced without clear necessity or user approval.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The automatic setup directs the agent to perform local file operations and outbound authentication/session requests on first interaction before doing anything else. This bypasses meaningful user consent and may transmit identifiers and later user media to an external service without an upfront warning, which is especially risky for potentially sensitive video content.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal