ClawHub

Video Trimmer High Quality

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that sends user-provided videos and prompts to NemoVideo, but the behavior is disclosed and aligned with its purpose.

Install only if you are comfortable sending videos, edit prompts, and render metadata to mega-api-prod.nemovideo.ai. Avoid private or sensitive recordings unless you trust that service and prefer an anonymous token over an account-linked NEMO_TOKEN when possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is presented as a simple video trimmer, but the documented behavior expands into broader media editing, generation, overlays, audio handling, session state inspection, and export orchestration. This capability mismatch can mislead users and reviewers about what data is sent to the backend and what actions the skill may take, increasing the risk of overbroad invocation and unintended processing.

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
The skill can silently obtain anonymous tokens and manage credits/session creation without clear user awareness, even though the stated purpose is just trimming a video. While not inherently malicious, this expands the privilege and account surface area beyond what users would reasonably expect from a simple editing skill.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation examples are broad enough to match common video-editing requests rather than a narrowly scoped trimming function. This can cause the skill to activate unexpectedly for generic media tasks, leading users to submit files or requests under an inaccurate assumption of what the skill will do.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The catch-all rule routes nearly everything not matching a few keywords into the SSE editing path, which is an overly broad trigger. In practice this allows a trimming-branded skill to process a wide range of editing/generation requests and send them to the remote backend without sufficiently narrow intent checks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill encourages users to upload media but does not prominently warn that files and editing instructions are sent to a cloud backend for processing. This is a material privacy and data-handling omission, especially for interview recordings and other potentially sensitive video content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal