ClawHub

Video Trimmer Exe

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video trimming/editing skill, with the main user consideration being that media, URLs, and prompts are sent to nemovideo.ai for processing.

Install only if you are comfortable sending videos, media URLs, and editing prompts to nemovideo.ai for cloud processing. Avoid uploading confidential, private, or rights-sensitive media unless you have reviewed the service terms and retention expectations, and ask for confirmation before processing ambiguous requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a simple video trimming tool, but the instructions expose substantially broader editing and session-inspection capabilities, including text overlays, audio/BGM handling, aspect-ratio related routing, and timeline/state access. This scope mismatch can mislead users and host systems about what the skill will actually do, weakening informed consent and increasing the chance of unexpected data processing or overbroad invocation.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Allowing URL-based media ingestion expands the attack surface beyond user-uploaded local files and is not clearly justified by the advertised trimming workflow. Remote fetch features can be abused to pull unexpected content, cause privacy issues, or enable server-side request behavior against attacker-controlled URLs if the backend follows arbitrary locations.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing rule sends essentially all unmatched requests to the SSE editing path, making the skill eligible for far more prompts than its stated purpose suggests. Overbroad activation increases the risk of unintended cloud requests, unnecessary token use, unexpected data disclosure to the backend, and accidental execution of editing/export workflows from loosely related user input.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill routes user media to a cloud processing backend, but the description does not prominently warn users that files and prompts are transmitted off-device. In a media-handling skill, this omission undermines informed consent and can expose sensitive video content, metadata, or private recordings to third-party processing without sufficiently clear disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal