ClawHub

Youtube Video Editor Effects

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that sends selected media and edit prompts to a Nemovideo backend, with no install-time code or hidden local persistence found.

Install only if you are comfortable sending selected videos, images, audio, prompts, and render requests to Nemovideo's cloud service. Avoid uploading sensitive personal, business, or copyrighted media unless you trust that provider's privacy, retention, and billing practices; ambiguous edit requests should be confirmed before upload or export.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The sample invocation phrases are very short and generic, which increases the chance the skill activates on ordinary conversation or loosely related user input. In a skill that can initiate cloud setup, create sessions, and process uploaded media, accidental invocation can lead to unintended network actions and confusing user experience.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The catch-all rule routes "Everything else" to the SSE editing action, which is overly permissive and can send arbitrary user text to the remote backend without a clear intent match. Because the SSE path is the main action channel, ambiguous routing increases the risk of unintended external data disclosure and unexpected edits or job creation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill clearly relies on a cloud backend for upload, processing, and rendering, but the user-facing description does not prominently warn that user media will be transmitted to a third-party service. This creates a privacy and consent issue, especially for personal or sensitive videos, because users may not realize their content leaves the local environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal