ClawHub

Video Editing Karne Ka Ai

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that uses NemoVideo tokens and uploads user-provided media for remote processing, which fits its stated purpose but needs privacy caution.

Install only if you are comfortable sending the videos, images, audio, metadata, and prompts you provide to NemoVideo for cloud processing. Use a dedicated or low-privilege token if possible, avoid sensitive footage unless you trust the provider's retention and privacy practices, and ask the agent to confirm before uploads, exports, or credit-consuming actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The routing table sends essentially all unmatched requests to the SSE editing action, which can cause the skill to engage on vague or unrelated prompts and start remote processing without clear user intent. In this skill, that fallback is more concerning because the default path can trigger cloud-side actions tied to an authenticated session and uploaded media.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill handles user video uploads through a third-party cloud backend, but the user-facing setup and getting-started text do not prominently warn that media is transmitted off-device for remote GPU processing. That creates a privacy and data-handling risk, especially for personal or sensitive footage, because users may share content without informed consent about where processing occurs.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill explicitly instructs the agent to read and use the NEMO_TOKEN from the environment, but it does not clearly disclose this capability to the user in the visible skill description. While using an env token can be legitimate, the undisclosed use of ambient credentials reduces transparency and could surprise users about what secrets the skill can access during operation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal