ClawHub

Free Editing Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-editing connector that is generally coherent and disclosed, but users should know their media and prompts are sent to NemoVideo’s remote service.

Install only if you are comfortable sending selected video files, edit prompts, and session metadata to NemoVideo’s cloud API. Avoid private or sensitive footage unless you trust that service’s privacy, retention, and deletion practices, and be cautious with URL imports from untrusted or internal sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly supports uploading media from arbitrary remote URLs, which expands the trust boundary beyond user-supplied local files. This can be abused to make the backend fetch attacker-controlled or internal resources, creating SSRF-style risk, unexpected data ingestion, and privacy issues that are not aligned with the stated 'upload your raw clips' purpose.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The catch-all rule routes 'everything else' related to generating or editing into the SSE action, giving the skill very broad activation semantics. That can cause unintended invocation on loosely related prompts, increasing the chance that user text or attachments are sent to the remote backend without clear intent or scope control.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill processes uploaded media and edit instructions on a remote backend, but the user-facing description does not clearly warn that files and prompts leave the local environment. This creates a transparency and consent problem, especially for personal or sensitive video content, because users may reasonably assume the editing is local or sandboxed.

Natural-Language Policy Violations

Medium
Confidence
75% confidence
Finding
The instruction to automatically translate GUI-oriented backend responses without user opt-in or language selection can alter meaning and cause the agent to take actions the user did not clearly approve. While less severe than direct code execution issues, it can contribute to confusion, misrepresentation of backend instructions, and accidental operations in multilingual contexts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal