ClawHub

Video Editor Free Software

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but it sends selected videos and prompts to an external NemoVideo service and uses a bearer token/session.

Install only if you are comfortable sending your selected videos, audio, images, and edit instructions to mega-api-prod.nemovideo.ai. Use a dedicated NEMO_TOKEN if possible, do not share logs containing bearer tokens or session IDs, and confirm uploads/exports before the agent proceeds, especially for recordings with private screens, faces, documents, or credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to obtain anonymous auth tokens and create backend sessions automatically, which expands its behavior beyond simple local/video-editing orchestration into account-like access management against a third-party service. This is risky because it can trigger external network actions and consume trial credits without clear user awareness or consent, and it normalizes implicit authentication flows for uploaded media.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill includes credit-balance, subscription, and billing-adjacent handling that is not necessary for the core task of editing a user's video. While not directly exploitative on its own, exposing these workflows broadens the agent's operational scope and can lead to unintended account-state probing or persuasive upsell behavior unrelated to the user's immediate request.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The skill directs the agent to inspect local install paths and parse frontmatter metadata at runtime to construct attribution headers. Accessing local environment/install-path details is not required for editing a video and increases the risk of unnecessary local information exposure or fingerprinting of the host platform.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill performs network authentication, token acquisition, session creation, and likely media upload to an external API without a clear user-facing warning that content and identifiers will leave the local environment. In the context of a video-editing skill, this is especially sensitive because uploaded videos may contain private screens, documents, faces, or audio, so silent transmission materially increases privacy and data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal