ClawHub

Lesson Editor

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video lesson editing skill whose network, token, session, and media-processing behavior fits its stated purpose, though users should understand their content is sent to NemoVideo.

Install only if you are comfortable sending selected lesson recordings, prompts, URLs, and render metadata to NemoVideo cloud services. Avoid confidential or regulated recordings unless NemoVideo's privacy, retention, and compliance terms meet your needs, and treat NEMO_TOKEN as a service credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The suggested invocation phrase is extremely broad and conversational, which increases the chance the skill is triggered during ordinary user dialogue rather than by explicit intent to use the lesson editor. In an agent environment that auto-routes based on prompt text, this can cause unintended API setup, token generation, session creation, or media-processing actions without clear user consent.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table includes a catch-all rule that sends essentially all other requests into the SSE edit pipeline, creating an overly permissive activation surface. Because the skill also instructs the agent to connect to external services and perform backend actions automatically, ambiguous or unrelated text could trigger network calls and state-changing operations that the user did not explicitly request.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal