ClawHub

Editor Pc

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill that sends chosen media and edit prompts to NemoVideo, with no evidence of hidden code, exfiltration, or destructive behavior.

Install only if you are comfortable sending selected footage, edit instructions, session state, and render jobs to mega-api-prod.nemovideo.ai. Avoid uploading private or regulated video unless you trust NemoVideo's handling of it, use a dedicated token when possible, and ask the agent to confirm uploads, exports, and credit-impacting actions before proceeding.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example trigger phrases are generic enough that ordinary conversation like asking to edit footage or export a file could activate the skill unexpectedly. In this skill, unintended activation is more sensitive because it can immediately initiate setup against a third-party video-processing service and encourage users to upload media without a clear consent boundary.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table contains a broad catch-all condition ('Everything else') that can funnel many unrelated prompts into the SSE editing workflow. Because this workflow can send user text to a remote backend and alter session state, ambiguous routing increases the risk of unintended data disclosure and accidental remote actions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill description markets easy video editing but does not clearly warn users that uploaded videos and prompts are sent to a remote third-party processing API. This omission is significant because raw video footage may contain sensitive personal, workplace, or biometric information, and users may reasonably assume local or first-party handling from the description alone.

Natural-Language Policy Violations

Low
Confidence
77% confidence
Finding
Forcing GUI translation behavior without user opt-in can misrepresent backend output, especially across languages, and may cause the agent to take actions based on translated intent rather than the user's exact wording. In an editing/export workflow, this is lower severity than direct code execution, but it can still lead to mistaken operations or misleading user communication.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal