ClawHub

Ugc Editor

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that clearly relies on NemoVideo’s remote API, with no evidence of hidden code, unrelated data access, or destructive behavior.

Install this only if you are comfortable using NemoVideo’s remote service. Keep NEMO_TOKEN private, expect the skill to create a remote session when opened, and avoid uploading sensitive clips, private faces, documents, unreleased products, or confidential brand material unless you accept that it will be processed off-device.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill directs the agent to automatically mint anonymous tokens and create backend sessions before the user explicitly requests or consents to network actions. This expands the skill's effective capability from local editing assistance to account/session provisioning against a third-party service, which can lead to unintended network access, token abuse, and opaque use of remote resources.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The frontmatter declares access to an environment token and local config paths, which gives the skill credential-discovery and host-inspection behavior beyond what is necessary for a simple editing interface. Even if intended for convenience, this broadens the trust boundary and increases the risk of exposing secrets or leaking local environment details to a remote backend.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill says to automatically connect to the backend and create anonymous tokens, but it does not prominently warn users that this triggers outbound requests and remote processing setup. That lack of transparency can cause users to unknowingly send identifiers and later media metadata to a third party, undermining informed consent and privacy expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill invites users to upload raw video clips to remote GPU nodes without an explicit privacy or data-handling disclosure. Because user-generated video often contains faces, voices, homes, documents, and other sensitive content, omission of a clear warning materially increases privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal