ClawHub

Video Editing With Lyrics App

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill, with some activation-scope and privacy cautions but no evidence of hidden, destructive, or unrelated behavior.

Install only if you are comfortable using NemoVideo’s cloud service for video processing. Avoid private or sensitive media unless you accept that prompts, uploaded files, session state, and render data may be sent to nemovideo.ai, and invoke the skill only for intentional video-editing work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The catch-all rule routes 'Everything else' including generic editing requests like adding BGM to this skill, materially expanding it beyond lyric syncing. That can cause the agent to invoke a third-party cloud editing backend for broader media tasks than the user would reasonably infer from the skill name and description, increasing accidental data exposure and unintended actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The guidance 'Or just tell me what you're thinking' is overly broad and can make the skill appear eligible for vague conversational prompts unrelated to lyric-synced video editing. In an agent environment, broad trigger phrasing increases the chance of accidental activation and unintended transmission of user content to the remote API.

Vague Triggers

Medium
Confidence
93% confidence
Finding
A catch-all routing rule that sends 'Everything else' to SSE is too ambiguous for a skill that uploads data and performs remote processing. This can over-trigger the skill on loosely related prompts, causing unintended third-party API calls, session creation, and possible upload of user media or instructions without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to immediately connect to external APIs, generate or use tokens, and create remote sessions, but it does not provide a clear upfront warning that user prompts and uploaded media are sent to a third-party cloud service. Because this skill handles potentially sensitive media files, the lack of transparent disclosure and consent materially increases privacy and data-governance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal