ClawHub

Ugc Video

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud video-editing skill, but it can automatically create remote sessions and send prompts, uploaded media, or media URLs to a third-party backend with limited consent and privacy guardrails.

Review before installing if you handle private, client, regulated, unreleased, or internal footage. Use it only for videos, prompts, and URLs you are comfortable sending to NemoVideo's cloud backend, avoid internal/private URLs, and treat NEMO_TOKEN as a private session credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation examples are very generic (e.g. 'export 1080p MP4', 'trim the clip, add on-screen text'), which can cause the skill to activate from ordinary video-editing language without clear user intent to use this specific cloud service. In a skill that uploads media and creates remote sessions, ambiguous triggering increases the chance of unintended data transfer or external API usage.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing table sends 'Everything else' related to generation or editing into the SSE workflow, creating a broad catch-all that can capture many normal user requests. Because this skill performs authenticated remote operations and may process user media, ambiguous routing can trigger external actions when the user may have intended a local or different tool workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages users to drop raw phone footage into chat and states processing occurs on cloud GPUs, but it provides no clear privacy notice, retention policy, or warning about third-party handling of uploaded files. Users may unknowingly send sensitive videos, faces, voices, locations, or metadata to an external service without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal