ClawHub

Free Video Editor Mac

Security checks across malware telemetry and agentic risk

Overview

This cloud video-editing skill is purpose-aligned, but users should review it because it can automatically connect to a third-party backend and route broad prompts or media workflows to that service.

Install only if you are comfortable sending media files, prompts, session IDs, render data, and related metadata to NemoVideo's cloud service. Use it for non-confidential media, keep token handling separate from other accounts, and give explicit upload/edit/export/status instructions rather than vague prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill advertises broad trigger phrases like "export," "upload," and "status," which are common conversational terms and could cause the skill to activate when the user did not intend to invoke this particular remote video-editing workflow. In this context, accidental invocation is more concerning because the skill can automatically establish backend sessions and encourage media upload to a third-party service, increasing the chance of unintended data transfer or user confusion.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description emphasizes convenience and cloud processing but does not clearly warn users up front that uploaded videos, images, and audio are transmitted to a remote backend for processing. Because media files may contain sensitive screen recordings, personal information, or confidential business content, the lack of a prominent disclosure undermines informed consent and raises privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal