ClawHub

Ai Video Editor In Hyderabad

Security checks across malware telemetry and agentic risk

Overview

This appears to be a cloud video-editing skill, but it may send videos and broad user prompts to a remote service before users have clear control or notice.

Install only if you are comfortable sending selected videos, audio, metadata, prompts, and generated edit state to the provider's cloud service. Use non-sensitive media first, avoid private or regulated footage unless you trust the provider's retention and privacy practices, and prefer explicit confirmation before the skill creates sessions, obtains tokens, or uploads files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The routing table sends 'everything else' to the SSE editing action, making activation overly broad and allowing many unrelated prompts to be forwarded to a third-party backend. In a chat agent context, this can cause unintended disclosure of user prompts or files to an external service, especially when users did not clearly invoke the skill or understand that broad classes of input will trigger network actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages users to upload raw video footage but does not prominently warn that the media is sent to a cloud processing service. Video files often contain sensitive visual content, audio, metadata, and personal information, so omission of this disclosure increases the risk of accidental privacy exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill performs automatic setup, including token acquisition and session creation, before doing anything else and without a clear upfront user warning. Silent network calls and credential handling can surprise users, create unauthorized external communication, and expand the blast radius if prompts or environment-provided tokens are used without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal