ClawHub

Video Editing With Grok

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should understand that media and edit prompts are sent to NemoVideo for remote processing.

Install only if you are comfortable sending video, audio, images, filenames, and edit instructions to NemoVideo's cloud API using a NEMO_TOKEN or anonymous token. Avoid uploading confidential screen recordings, client data, credentials, private faces or voices, or regulated content unless the service's privacy and retention terms are acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The starter prompts are broad enough that ordinary conversational input like 'edit my raw video footage' or partial phrases could trigger the skill without a clear, explicit invocation boundary. Because this skill performs authenticated setup and uploads user media to a third-party service, accidental activation can lead to unintended external API calls and transfer of potentially sensitive video content.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table includes an 'Everything else' catch-all that sends all other prompts into the SSE editing pipeline, making the skill effectively activate on nearly any unmatched user text. In context, that is more dangerous because the SSE path can initiate remote processing against a live session, increasing the chance of unintended third-party requests, token usage, and processing of user content without clear consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to upload raw user video footage to cloud APIs and describes cloud GPU processing, but it does not provide a clear upfront warning that user media will be transmitted to and processed by an external service. This is especially significant for screen recordings, which often contain sensitive information such as emails, credentials, internal dashboards, or personal data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal