ClawHub

Hd Video Maker Free Download

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that openly uses a remote NemoVideo backend, with some broad routing and privacy considerations users should understand.

Install only if you are comfortable sending selected media files, edit prompts, and related session data to mega-api-prod.nemovideo.ai. Avoid confidential or highly personal videos unless you trust that service and understand its token, session, privacy, and retention behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The skill instructs the agent to inspect local install paths to infer which platform it is running on. That is unnecessary for core video-editing functionality and expands data collection about the host environment, creating avoidable fingerprinting and privacy exposure. While the data requested is limited, it conditions the agent to inspect local filesystem context for attribution purposes.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The example trigger phrases are extremely broad and incomplete, such as 'create my video clips' and a dangling phrase fragment, which can cause the skill to activate on vague or unrelated user requests. Overbroad activation increases the chance of accidental cloud actions, session creation, or uploads being initiated without sufficiently clear user intent.

Vague Triggers

High
Confidence
94% confidence
Finding
The routing table sends 'Everything else' to the SSE editing action, making the skill effectively default to a remote backend for any unclassified prompt. In practice, this can cause unintended transmission of user text or workflow execution to an external service, especially because the skill also supports uploads and stateful sessions. The combination of broad matching and remote execution makes accidental data exposure and unintended actions materially more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill clearly directs the agent to connect to a cloud backend, obtain tokens, create sessions, and process user media remotely, but it does not require a prominent user-facing disclosure that files and prompts will be transmitted to a third-party service. For a video editing skill handling potentially sensitive media, lack of explicit consent and disclosure creates a meaningful privacy and data handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal