ClawHub

Portugues Editor Ai

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real cloud video-editing skill, but its broad activation and automatic remote-session behavior could send user prompts or media to a third-party service before users have a clear consent point.

Review before installing. Use this only if you are comfortable sending videos, edit instructions, uploaded URLs, and session metadata to the NemoVideo cloud API. Avoid confidential, workplace, regulated, or private footage unless the publisher clarifies retention, deletion, URL-fetching safeguards, and when the skill will ask for confirmation before contacting the service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill explicitly supports uploading media by arbitrary URL, which turns a user-facing video editing flow into a server-side fetch capability against a third-party backend. If unvalidated, this can enable SSRF-style access to internal resources, retrieval of sensitive URLs, or abuse of the remote service for arbitrary content fetching beyond the intended upload use case.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The invocation guidance is overly broad and includes generic phrases such as 'edit my video clips' and especially a catch-all posture that encourages activation from vague user intent. This increases the chance the skill is triggered unintentionally, causing users to send media or instructions to a remote service without a clear, informed action boundary.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The phrase 'Or just tell me what you're thinking' is ambiguous and effectively invites activation on nearly any conversational input. In this skill's context, that ambiguity is more dangerous because first interaction triggers connection to a remote API and may begin a workflow involving external processing of user media and prompts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill says rendering happens server-side, but it does not prominently warn users up front that uploaded videos and editing instructions are transmitted to remote cloud services for processing. Because videos can contain sensitive personal, workplace, or location data, this lack of disclosure undermines informed consent and can lead to unintended data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal