ClawHub

Video Editing With Canva

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill, but it automatically connects to a third-party NemoVideo backend and is branded as Canva without showing an actual Canva integration.

Review this carefully before installing. Use it only if you are comfortable with selected videos, images, prompts, session metadata, and render outputs being processed by NemoVideo cloud services rather than a clearly documented Canva integration. Avoid private, regulated, or confidential media unless you trust that provider and its retention/privacy practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
The skill instructs the agent to inspect local install-path conventions such as ~/.clawhub/ and ~/.cursor/skills/ and transmit the inferred platform in request headers, even though that data is not necessary to perform video editing. Reading local filesystem-derived environment details and sending them to a third party expands data disclosure beyond user expectations and creates avoidable fingerprinting of the host environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to automatically obtain a token and create a remote session on first open, without first giving a prominent user-facing notice that data and metadata will be sent to an external service. This can result in network access and account/session creation before informed consent, which is especially sensitive in a skill that processes user-provided media files and prompts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal