ClawHub

Video Editing With Openshot

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-editing workflow, with privacy considerations around uploading media but no evidence of hidden, destructive, or unrelated behavior.

Install only if you are comfortable sending videos, images, audio, URLs, editing prompts, session metadata, and a NEMO_TOKEN or anonymous token to the nemovideo.ai cloud backend for processing. Avoid private or sensitive footage unless you trust that provider's handling and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The manifest and top-level description frame the skill as a video-upload workflow, but the implementation also accepts images and audio files. This capability mismatch can mislead users about what data may be transmitted to the cloud backend, weakening informed consent and increasing the chance of unintended exfiltration of non-video media.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger examples are broad and conversational, making it easier for ordinary user dialogue to activate the skill unintentionally. Because this skill can obtain tokens and send user media to a third-party backend, accidental invocation could cause unintended network actions and privacy-impacting uploads.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The catch-all routing rule sends 'everything else' to the SSE editing action without clear boundaries. In context, that means loosely related or ambiguous prompts may be forwarded to the cloud backend, potentially transmitting unintended user content and causing external side effects without sufficiently explicit consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill description does not prominently warn users that uploaded media and editing instructions are sent to a cloud processing backend. Given that the skill handles potentially sensitive personal videos and automatically acquires tokens/sessions, lack of upfront disclosure undermines informed consent and creates a meaningful privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal