ClawHub

For Video Free

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should understand that clips and prompts are sent to Nemo Video’s remote service.

Install only if you are comfortable sending video/audio/image files, edit prompts, and project state to Nemo Video cloud endpoints. Do not upload confidential, regulated, client-owned, or personally sensitive media unless you have permission and understand the service’s retention and account terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The suggested invocation phrases are extremely generic (for example, common editing requests like 'edit my video clips' or 'export 1080p MP4'), which increases the chance this skill is activated unintentionally during ordinary conversation. Because the skill performs automatic setup and connects to a remote processing API on first interaction, accidental invocation can lead to unintended network calls and media handling without clear user intent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The routing table sends 'Everything else' to the SSE editing action, creating an ambiguous catch-all that can interpret many unrelated user messages as commands to the backend. In this skill, that behavior is riskier because the backend can process uploads, timeline edits, and cloud actions, so vague or incidental text may trigger unintended remote operations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill encourages users to drop video clips into chat and says it will handle editing on cloud GPUs, but it does not prominently disclose, before upload, that user media is transmitted to a third-party remote API service. For video content, this is privacy-sensitive because clips may contain faces, voices, locations, or other personal data, and users may reasonably assume processing is local unless told otherwise.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal