ClawHub

Easy Video Editor

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud video-editing skill, but it needs Review because it can automatically create a remote session and broadly forward prompts or uploaded media to a third-party video service.

Install only if you are comfortable sending selected videos, media URLs, and editing instructions to NemoVideo's cloud API. Before using it, ask the agent to confirm before token creation, upload, editing, or export; avoid confidential or regulated footage unless the service's privacy and retention terms are acceptable; keep NEMO_TOKEN private and monitor credit usage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance is broad enough that ordinary conversational phrases like 'what you're thinking' or generic editing-related wording could activate the skill without a clear, informed user intent to send content to a remote video-processing service. In this skill, unintended activation is more dangerous because uploaded media and prompts may be transmitted to a third-party backend and may consume tokens or credits.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The catch-all rule routing 'Everything else' to the SSE editing backend is overly permissive and can cause unrelated user text to be forwarded to the remote service. This creates privacy risk, unexpected third-party disclosure of user prompts, and possible unwanted API usage or credit consumption, especially because the skill is designed to connect automatically on first interaction.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill does not present a prominent, upfront warning that user media, prompts, and session data are sent to `mega-api-prod.nemovideo.ai` for cloud processing. In a media-editing context this is significant because videos often contain sensitive personal, business, or location information, and users may not realize their content leaves the local environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal