ClawHub

Ai Video Editor Generator Free

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose media upload and token use match its stated purpose, but users should understand that uploaded videos and prompts go to NemoVideo's backend.

Install only if you are comfortable sending selected videos, URLs, prompts, and render/session data to NemoVideo's cloud service. Avoid private, regulated, workplace, or identifiable footage unless you trust the provider and ask the agent to confirm before uploading ambiguous media or starting exports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The getting-started prompt invites users to 'share your raw video footage' or 'just tell me what you're thinking,' which is broad enough to activate the skill on vague conversational input rather than a clearly intentional invocation. In a chat environment, this can cause accidental routing of unrelated messages or files into a cloud-backed workflow, increasing the chance of unintended data disclosure and user confusion.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Example trigger phrases such as 'edit my raw video footage' and especially 'export 1080p MP4' are generic commands that could appear in ordinary conversation and be misinterpreted as a request to invoke this specific skill. Because the skill can create sessions, upload content, and interact with an external backend, accidental invocation may lead to unintended transmission or processing of user data.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table sends 'Everything else' related to generate/edit/add BGM to the SSE action, which is effectively a catch-all without clear semantic boundaries. This makes the skill prone to over-triggering on loosely related text, causing unintended backend requests and potentially exposing user content or context to a third-party service without sufficiently explicit intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that users can drop raw footage in chat and that cloud GPUs handle the editing, but it does not present a prominent upfront warning that uploaded videos and prompts are transmitted to a remote third-party backend. Given that video files often contain sensitive visual, audio, or metadata content, insufficient disclosure undermines informed consent and raises privacy and compliance risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal