ClawHub

Tiktok Video Editor Online Free

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that discloses its NemoVideo backend and does not include executable install code, but users should treat uploaded videos as shared with an external service.

Install only if you are comfortable sending the videos, prompts, and edit-session data you provide to mega-api-prod.nemovideo.ai for processing. Avoid confidential or sensitive footage unless you trust that service's privacy, retention, and deletion practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill invites activation from very generic phrases like "edit my video clips" and "export 1080p MP4," which are common requests that could be made outside the user's intent to invoke this specific third-party cloud skill. Because the skill can upload media and send prompts to a remote backend, broad triggers increase the chance of accidental invocation and unintended data transfer.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table sends "Everything else" to the SSE editing action, creating a catch-all path that can treat nearly any unmatched user message as an instruction to contact the backend. In this skill, that is more dangerous than a normal misroute because the fallback may transmit user text to a cloud service and potentially mutate remote session state without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Although the document later mentions a cloud backend, the user-facing description and getting-started flow do not prominently warn that uploaded videos, prompts, and editing requests are sent to an external service. Given that videos may contain sensitive personal content, insufficient disclosure can lead to uninformed consent and privacy exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal