ClawHub

Video Editor Kids

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud video-editing integration, but it automatically creates remote sessions and can route broad requests to a third-party service that may receive children's media.

Install only if you are comfortable with NemoVideo receiving prompts, files, and media metadata for processing. Avoid uploading private children's videos, school details, faces, voices, or location-revealing footage unless you trust the provider and have appropriate consent; use a dedicated token where possible and monitor credit usage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill goes beyond simple video editing instructions by directing the agent to obtain anonymous authentication tokens and create backend sessions automatically. This expands the privilege and data-handling scope of the skill, creates a hidden account/session management workflow, and could cause users' media and requests to be processed by a third-party service without explicit informed consent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation language is broad enough that ordinary editing-related user requests may trigger this skill even when the user did not intend to use a remote kids-video backend. That raises the risk of accidental activation, unexpected uploads, and opaque third-party processing of user media.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The catch-all rule routes nearly any unmatched request into the SSE editing path, making unintended activation highly likely. In a skill that can upload media and initiate remote processing, ambiguous routing increases the chance of data being sent off-device without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to connect to a remote backend, obtain tokens, and create sessions, but it does not prominently warn users that uploaded videos and related prompts are sent to an external service. Because this skill targets kids' videos and school-project recordings, the missing disclosure materially raises privacy and consent concerns around potentially sensitive media involving minors.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal