ClawHub

Best Wechat Video

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that uses NemoVideo APIs as disclosed, with privacy and URL-ingestion considerations users should understand before sending media.

Install only if you are comfortable sending selected videos, media URLs, edit prompts, subtitles, and generated outputs to NemoVideo's cloud service. Use a dedicated NEMO_TOKEN when possible, avoid private or rights-sensitive media unless you trust the provider, and be aware that opening the skill may create an anonymous token and remote session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill advertises a constrained video-upload workflow, but the documented behavior permits broader media types and non-user-supplied inputs, including URL ingestion. That mismatch weakens user expectations and safety boundaries, increasing the chance of unintended data ingestion, policy bypass, or processing of untrusted remote content.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Allowing arbitrary remote-URL fetching introduces an unnecessary external retrieval capability for a skill whose stated purpose is editing user-uploaded videos. This can be abused to pull attacker-controlled content, access unexpected internal or private URLs depending on backend behavior, or process material the user never directly uploaded.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs automatic backend connection, token acquisition, and remote session creation without prominently informing the user that their prompts and uploaded media will be transmitted to a third-party service. This creates a meaningful transparency and privacy risk, especially for personal videos and sensitive media.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal