ClawHub

Ai Video Editor Davinci Resolve

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill, but users should understand that their selected media and prompts go to NemoVideo for processing.

Install this only if you are comfortable sending selected videos, audio, images, URLs, and editing prompts to NemoVideo. Keep NEMO_TOKEN private, avoid confidential or unreleased footage unless you accept the provider's handling of it, and confirm ambiguous edit requests before letting the skill process them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The routing table sends "Everything else" to the SSE editing action, which effectively grants a very broad default behavior for arbitrary user input. In a skill that can upload media, create sessions, spend credits, and trigger cloud-side edits, this increases the chance of unintended remote actions, prompt misrouting, and abuse through ambiguous or maliciously crafted requests.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description emphasizes convenience and automatic editing but does not clearly disclose that user videos are uploaded to a third-party cloud service for processing. Because video files may contain sensitive personal, commercial, or location data, insufficient disclosure can cause users to share private content without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup flow automatically uses an existing token or acquires an anonymous token and creates a session before doing anything else, without first warning the user or obtaining consent. This can silently establish authenticated access and consume service resources or associate activity with the user's environment in a way the user may not expect.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal