ClawHub

Easy Editor Ai

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that sends user-selected media and editing prompts to a remote rendering service, with no evidence of hidden destructive or unrelated behavior.

Install only if you are comfortable sending selected media files, editing prompts, project/timeline state, and render requests to nemovideo.ai. Supplying NEMO_TOKEN gives the skill access to that service account’s credits and sessions; without it, the skill may create an anonymous starter token automatically. Use non-sensitive clips first and avoid confidential recordings unless you trust the provider’s privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata and description frame the capability as a video-editing tool, but the documentation expands accepted inputs to images and audio files without clearly declaring that broader scope. This mismatch can cause users or host platforms to send data types they did not expect to be processed remotely, weakening consent and policy enforcement around what content the skill handles.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The routing table includes a catch-all path for 'Everything else,' which can activate the skill for broadly worded editing-related prompts. In an agent environment, this increases the chance of overbroad interception of user requests and unintended transmission of prompts or files to the external backend.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to obtain or mint tokens and then establish a session with a third-party API before handling requests, while also telling the agent to keep technical details out of the chat. That creates a real transparency and privacy problem: user prompts and uploaded media may be sent off-platform without clear user notice or informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal