ClawHub

Video Making Free Online

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-rendering skill whose uploads, token use, and remote API calls match its stated purpose, though users should treat media and prompts as sent to NemoVideo’s service.

Install only if you are comfortable sending your media files, edit prompts, token-backed or anonymous service identity, and basic skill attribution metadata to NemoVideo’s cloud API. Avoid confidential media unless you have reviewed and trust that service’s privacy, retention, and deletion practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill derives and transmits `X-Skill-Platform` from local install paths such as `~/.clawhub/` or `~/.cursor/skills/`, which is unrelated to video creation and unnecessarily fingerprints the user's environment. Even if only a coarse label is sent, it leaks host/application context to the remote service and increases tracking surface without clear user benefit or consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The routing rule 'Everything else' to SSE is overly broad and can cause the skill to capture and forward arbitrary user prompts to the backend, including requests outside the stated video-editing scope. This expands data exposure and may result in unintended remote processing of unrelated or sensitive content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to upload files and send them to a third-party cloud backend but does not provide a clear user-facing notice about external transfer, retention, or processing of media content. This is dangerous because users may share private images, videos, or audio without understanding that the content leaves the local environment and is processed remotely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill accesses `NEMO_TOKEN` from the environment and may also obtain anonymous auth tokens, but it does not clearly warn the user that credential material will be used to authenticate requests to a third-party service. Silent use of secrets increases the risk of users unintentionally authorizing account-linked actions or data access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal