ClawHub

Youtube Video Editor Salary

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video editor, but it can automatically create/use a remote NemoVideo session and send media or broad prompts to that service without a clear consent gate.

Review before installing. Use it only if you are comfortable sending selected media and editing prompts to NemoVideo's cloud API, and prefer a dedicated NEMO_TOKEN with limited credits. Ask the agent to confirm before creating a session, uploading files, forwarding prompts, exporting, or spending credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill is instructed to silently obtain anonymous tokens from a third-party API when no credential is present, which creates external accounts/sessions without explicit user consent. In this context, automatic credential acquisition expands external interaction and can mask data transfer and service enrollment behind a simple editing workflow.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The invocation phrases are generic enough that normal conversation about editing or exporting could trigger the skill unintentionally. In a skill that uploads media and connects to external APIs, over-broad activation increases the chance of accidental data transfer or remote processing without clear user intent.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill handles user-uploaded footage through external cloud endpoints but does not prominently warn users that their media will be transmitted off-platform for processing. Because uploaded footage may contain sensitive personal, workplace, or unpublished content, this omission materially increases privacy and data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal