ClawHub

Generation Editing Generator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud video editing skill with expected privacy considerations but no evidence of hidden, destructive, or malicious behavior.

Install only if you are comfortable sending video, image, audio files, editing prompts, and project metadata to nemovideo.ai for cloud processing. Avoid confidential footage unless you trust that service and its retention/deletion policies, and use the skill only for clear editing requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a raw-footage video editing tool, but the documented backend accepts additional media types and URL-based uploads that materially expand what data can be sent to the remote service. This mismatch increases the chance that users or calling agents will provide unintended content to a third party without understanding the broader ingestion surface.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Routing nearly every unmatched request into the editing action creates an overly broad invocation surface, making accidental or unrelated prompts more likely to be sent to the remote backend. In a skill that uploads media and forwards user messages to an external service, permissive triggering increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to establish a backend connection, obtain tokens, create sessions, and upload user media and prompts to a remote API, but the description does not clearly warn users that their content leaves the local environment. This is a meaningful transparency and privacy failure because users may share sensitive footage under the assumption of local-only processing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal