ClawHub

Video Editor Arabic

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose remote API use, uploads, and limited local token setup fit its stated purpose, though users should treat submitted media as shared with NemoVideo.

Install only if you are comfortable sending your prompts, media files, and submitted URLs to NemoVideo for cloud processing. Avoid confidential, proprietary, or private media unless you trust NemoVideo's handling and retention practices. Be aware the skill can store a persistent client ID under ~/.config/nemovideo and use it to obtain anonymous service tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill directs the agent to generate and persist a client identifier under ~/.config/nemovideo/client_id and to automatically obtain an anonymous token from a third-party service. This creates durable local state and initiates account/session provisioning outside the core user-visible editing action, which can surprise users and enable cross-session tracking or unintended backend usage without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The upload flow accepts arbitrary remote URLs and forwards them to the backend for ingestion. This can be abused to cause the third-party service to fetch attacker-supplied URLs, potentially enabling SSRF-like behavior on the backend side, unexpected access to internal resources, or ingestion of malicious/untrusted content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs automatic token acquisition and persistent client ID storage but does not clearly notify users that a third-party API will be contacted and that a local identifier will be written to disk. This is a transparency and consent failure that increases privacy risk and makes background network activity harder for users to understand or control.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description encourages users to upload files or paste URLs but does not explicitly state that those media assets and linked resources will be transmitted to NemoVideo's external service. Users may unknowingly send sensitive media or private URLs to a third party, creating privacy and data handling risks.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal