ClawHub

Hd Video Editor

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing connector; it uses a remote NemoVideo API, tokens, sessions, uploads, and exports in ways that fit its stated purpose.

Install only if you are comfortable using NemoVideo's cloud service for editing. Do not upload private, regulated, or sensitive footage unless you trust that service, and treat NEMO_TOKEN like an account credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill goes beyond simple video editing by instructing the agent to mint anonymous third-party credentials and create remote sessions automatically. That introduces undisclosed account and service interaction, expands the data-sharing boundary, and could cause users to consume a third-party service or leak usage metadata without informed consent.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The skill metadata references local config paths and later instructs deriving platform information from local install paths, which is unrelated to core video editing. Even if only used for attribution headers, collecting environment and filesystem context increases unnecessary host fingerprinting and may expose local setup details to the remote service.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The routing rules are broad enough that common words like 'export,' 'status,' or any uploaded file can automatically trigger networked actions. In a skill that performs uploads and remote rendering, loose activation increases the chance of unintended invocation, accidental file transfer, or unexpected external API calls.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal