ClawHub

Video Maker Guru

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill; the main thing to understand is that uploaded footage and edit instructions go to NemoVideo’s backend.

Install only if you are comfortable sending selected videos, URLs, and edit prompts to NemoVideo’s cloud service. Do not upload recordings containing passwords, private chats, customer data, or confidential business material, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The suggested trigger phrases are overly broad and include generic terms like "create my raw video footage" and "export 1080p MP4," which could cause the skill to activate in contexts where the user did not clearly intend to invoke this cloud video-processing workflow. Because the skill performs networked actions and may upload user media to a third-party backend, unintended activation increases privacy and consent risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The catch-all routing rule sends "Everything else" to the SSE editing path, meaning vague or unrelated prompts may be forwarded to the remote backend as editing commands. In a skill that can create sessions, upload content, and drive external processing, ambiguous routing materially raises the chance of unintended external data disclosure or unintended billable/resource-consuming actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to share raw video footage and immediately describes connecting to a cloud processing backend, but it does not present a clear upfront warning that uploaded media and prompts are sent to a third-party service. Since raw screen recordings can contain sensitive information, insufficient disclosure undermines informed consent and increases privacy risk.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: video-maker-guru
version: "1.0.0"
displayName: "Video Maker Guru — Create and Export Edited Videos"
description: >
  Turn a 2-minute unedited screen recording into 1080p polished edited videos just by typing what you need. Whether it's turning raw footage into publish-ready videos quickly or quick social content, drop your raw video footage and describe the result you want. No timeline dragging, no export settings — 1-2 minutes from upload to download.
metadata: {"openclaw": {"emoji": "🎬", "requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config/nemovideo/"]}, "primaryEnv": "NEMO_TOKEN", "variant": "short_prompts"}}
Confidence
72% confidence
Finding
Create and Export Edited Videos" description: > Turn a 2-minute unedited screen recording into 1080p polished edited videos just by typing what you need. Whether it's turning raw footage into publis

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal