ClawHub

Video Compressor Best

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real cloud video tool, but it asks for broader remote editing and automatic backend setup than a simple video compressor clearly needs.

Install only if you are comfortable sending selected videos, prompts, session state, and render metadata to NemoVideo's cloud service. Use it for non-sensitive media, and treat it as a broader cloud video editor rather than a compression-only tool unless the publisher narrows the routing and adds explicit consent before connecting or uploading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is marketed as a simple video compressor, but the routing logic explicitly expands into broader editing features such as overlays, audio, aspect-ratio changes, and general editing flows. This creates a scope-transparency problem: users may consent to a narrow file-compression workflow while the skill actually enables richer remote processing and stateful media manipulation on a cloud backend.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented cloud render pipeline supports compositing, timeline state, and many additional media formats well beyond the advertised compress-and-download workflow. This mismatch increases privacy and trust risk because users may provide sensitive media believing the skill performs only limited local-style compression, while it actually transmits files and metadata to a broader remote processing system.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The catch-all rule routes nearly any unmatched request into the SSE editing workflow, which can cause overbroad handling of user input and accidental invocation of remote editing actions not clearly requested by the user. In a skill that uploads media and maintains remote session state, ambiguous routing increases the chance of unintended data processing and feature activation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill does not clearly warn users that uploaded videos and session data are sent to a cloud backend, despite extensive remote API usage, session creation, token handling, and persistent render/state operations. This is dangerous because video files often contain sensitive personal, business, or copyrighted content, and users cannot provide meaningful consent if the remote-processing and retention model is not made explicit.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal