ClawHub

Video Editing With Canva Ai

Security checks across malware telemetry and agentic risk

Overview

This skill performs real cloud video editing, but it under-discloses that it uses NemoVideo rather than Canva and can start remote sessions too broadly.

Review before installing. Use only media you are comfortable sending to NemoVideo, do not assume this is an official Canva integration, and require clear confirmation before creating sessions, uploading files, sending prompts, or exporting renders.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The routing table sends all unmatched prompts into the SSE editing workflow, which makes ordinary conversational input likely to trigger backend processing unintentionally. In a skill that can create sessions, upload media, and send user content to a remote service, overbroad invocation increases the chance of surprise network actions and unintended disclosure of user intent or attached content.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The example phrases are broad and overlap with common language, which can cause accidental invocation of the skill outside a clearly expressed editing request. Because the skill then connects to an external API and may establish authenticated sessions, vague invocation guidance materially raises the risk of unintended backend interaction.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explains cloud rendering in technical sections, but it does not present a prominent user-facing warning up front that uploaded videos and images are sent to a third-party cloud backend for processing. This is dangerous because users may share sensitive or private media without understanding the external transfer, retention, and processing implications.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
Hard-coding session creation to English without user choice can mis-handle user instructions, degrade consent quality, and cause prompts to be interpreted differently than intended. While not a classic security flaw, it can contribute to unsafe or incorrect remote actions when users communicate in another language and the backend processes those requests under the wrong locale.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal