ClawHub

Linkedin Video

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill with real privacy considerations, but its network use and media handling are disclosed and aligned with LinkedIn video formatting.

Install only if you are comfortable sending selected videos, media URLs, editing prompts, and related media assets to NemoVideo's cloud service. Keep NEMO_TOKEN private, avoid sensitive or proprietary recordings unless you trust the provider's privacy and retention practices, and confirm before uploading URL-based media or using service credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The manifest and user-facing description say the skill works with video files up to 500MB, but later documentation expands supported inputs to images and audio formats. This mismatch weakens user consent and security boundaries because users and hosts may assume only video is accepted while the backend is actually permitted to ingest a broader class of media.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The upload workflow permits URL-based ingestion of arbitrary remote media, which is broader than the stated purpose of processing user-provided footage shared in chat. This can enable unintended fetching of third-party or internal resources, create privacy and consent issues, and potentially expose the backend to server-side request abuse depending on how URLs are fetched.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The onboarding text and trigger examples are broad enough that ordinary conversation or generic phrases like 'export 1080p MP4' could activate the skill unexpectedly. In this skill, unexpected activation is more concerning because it can lead to authentication, session creation, and cloud processing of user media without clear deliberate invocation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description emphasizes convenience but does not clearly warn users up front that their media is sent to a cloud backend for processing. Because the content may contain personal or sensitive recordings, the missing disclosure undermines informed consent and increases privacy risk if users assume local-only handling.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal