ClawHub

Tiktok Highlight Editor

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed remote video-editing integration, but users should understand that videos, prompts, and session data go to nemovideo.ai for processing.

Install only if you are comfortable sending raw media, edit prompts, and render/session data to mega-api-prod.nemovideo.ai. Avoid uploading private or sensitive footage unless you trust that service, and be aware that the skill may create an anonymous token/session automatically on first use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to auto-detect the host platform from the install path and transmit it in an attribution header on every request, even though platform fingerprinting is not necessary to perform video editing. This creates unnecessary environment disclosure to a third-party service and expands data collection beyond what users would reasonably expect from the stated functionality.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The starter prompts and invocation examples are overly generic, including phrases like 'create' and fragments that could match ordinary conversation, which increases the chance of accidental routing into the skill. In a skill that uploads files and connects to a remote backend automatically, unintended activation can lead to unplanned data transfer or session creation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill prominently encourages users to share raw footage but does not present a clear upfront warning that media and editing instructions are sent to a remote third-party backend for processing. Because users may upload sensitive or private video content, the missing disclosure undermines informed consent and materially increases privacy risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal