ClawHub

Tiktok Editing With Ai

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but it uploads selected media and prompts to NemoVideo and may create an anonymous service token automatically.

Install only if you are comfortable sending chosen videos, audio, images, and edit prompts to NemoVideo’s cloud service. Use a dedicated NEMO_TOKEN if you have one, watch credit or export-consuming actions, and do not use it for sensitive personal footage unless you accept the provider’s privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill directs the agent to automatically mint an anonymous bearer token from a third-party service whenever no existing credential is present. This bypasses an explicit user authentication step and can cause the agent to create and use external service accounts/credits on the user's behalf without clear consent, while also enabling unreviewed data transfer to that provider.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The routing rule sends essentially all unmatched prompts to the remote editing/SSE action, making accidental invocation likely from ordinary conversation. In this skill, that broad fallback is risky because the default action can transmit user text and potentially uploaded media to an external backend, increasing the chance of unintended processing and data disclosure.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The getting-started language encourages activation from vague, natural conversation rather than a clearly bounded command. By itself this is mild, but combined with automatic backend setup and broad routing it increases the chance that normal user messages trigger external service interaction unexpectedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill's initial user-facing setup flow does not prominently warn that uploaded videos and prompts are sent to a third-party cloud backend for processing. Because the skill handles potentially sensitive personal media, insufficient disclosure can lead users to unknowingly transmit private content off-device.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal