ClawHub

Ai Screen Recording Editor

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud screen-recording editor whose remote upload and processing behavior is disclosed and aligned with its purpose, though users should treat uploaded recordings as sensitive.

Install only if you are comfortable sending screen recordings, audio, images, and edit prompts to NemoVideo's cloud service. Avoid uploading recordings containing passwords, tokens, private dashboards, regulated data, customer information, or confidential work unless you have reviewed the service's privacy and retention terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example invocation text is broad and generic enough that ordinary conversation about editing or exporting videos could unintentionally trigger this skill. Because the skill uploads user media to a remote cloud backend and initiates session/auth flows, accidental activation can lead to unintended data transfer and confusing side effects.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The routing table uses a catch-all rule that sends "Everything else" to the SSE editing action, which makes the trigger scope highly ambiguous. In practice, many unrelated user utterances during a session could be forwarded to the remote backend, increasing the chance of unintended prompt transmission, unwanted edits, or accidental cloud processing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill clearly relies on remote cloud processing and file upload, but it does not present a prominent privacy warning near the upload/setup flow explaining that recordings and prompts are sent to a third-party service. For screen recordings, this is especially sensitive because they may contain credentials, internal systems, personal data, or proprietary information, so lack of disclosure materially increases privacy and data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal