ClawHub

Ai Video Generator Free Editor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video editing skill, but it can connect to NemoVideo and send broad user prompts or media to that service without clear user confirmation.

Install only if you are comfortable sending video, images, editing prompts, and related session metadata to NemoVideo's cloud service. Avoid confidential recordings or images, use a dedicated or anonymous token where possible, and confirm what will be uploaded or exported before using broad editing requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The getting-started prompts are broad enough that ordinary user phrases could invoke the skill without clear intent, increasing the chance of accidental activation. In this skill, accidental invocation is more sensitive because it can initiate remote API connections and encourage media upload to a third-party service.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The catch-all rule routes 'everything else' to the SSE editing path, which is overly permissive and can cause unrelated or ambiguous user text to be sent to the remote backend. Because SSE requests may process arbitrary natural-language instructions, this increases the risk of unintended external data transmission and unintended actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages users to upload video clips and images to a cloud service but does not clearly warn that media and prompts are transmitted to a remote backend. This omission undermines informed consent and is especially relevant here because uploaded media may contain sensitive visual, audio, or on-screen information.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill notes internally that render jobs may be orphaned if the tab is closed, but it does not present this as a user-facing warning where expectations are set. This can lead users to believe processing has stopped when cloud jobs may still be running or persist remotely.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The session creation flow hard-codes `"language":"en"` without user choice, which can mis-handle non-English prompts and cause unintended processing or disclosure through translation-like behavior. In a multilingual skill with Chinese trigger examples, forcing English is particularly risky because it can degrade correctness and user understanding.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal