ClawHub

Video Editing Ai Laptop

Security checks across malware telemetry and agentic risk

Overview

This video-editing skill appears purpose-aligned, but it automatically contacts a third-party backend and can route broad user input to remote processing without enough explicit user control.

Review before installing. Use it only if you are comfortable with Nemovideo receiving media files, URLs, prompts, session metadata, and render data; avoid confidential footage unless the publisher adds clearer consent, privacy, retention, and token-handling details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The sample invocations are very generic phrases like "edit my raw video footage" and "export 1080p MP4," which can match ordinary user requests without a strong, explicit skill-selection signal. This raises the chance of accidental invocation and unintended transfer of user media or prompts to a third-party backend.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing table sends "Everything else" to the SSE action, effectively creating a catch-all path for arbitrary input. In a skill that can upload media, create remote sessions, and send user content to an external service, broad routing increases the risk of unintended activation and data disclosure from normal conversation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Although the file mentions remote GPU processing, it does not present a clear, upfront privacy warning that uploaded videos, audio, images, and editing instructions are transmitted to external servers for processing. Given the skill handles potentially sensitive user media, insufficient disclosure can lead to users unknowingly sharing private content with a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal