ClawHub

Video Editing App In Ai

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but users should know their videos and prompts are sent to NemoVideo for processing.

Install only if you are comfortable sending raw videos, external media URLs, and editing instructions to NemoVideo's cloud backend. Avoid confidential, private, or regulated media unless you trust that service's privacy and retention practices, and ask the agent to confirm before first connection, upload, or ambiguous edit requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invitation text is broad enough that ordinary user phrases like sharing footage or describing an edit could invoke the skill without a clearly bounded trigger. In a skill that uploads media and automatically connects to a remote backend, over-broad activation increases the chance of unintended data transmission and user confusion about when external processing begins.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The catch-all rule routes 'Everything else' to the SSE backend, which means ambiguous or unrelated prompts may be sent to a remote service. Because the backend can process free-form instructions and session state, this expands the attack surface for accidental invocation, privacy leakage, and unintended remote actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically connect, obtain an anonymous token, and create a remote session without a prominent user-facing disclosure that content and metadata will be transmitted to a third-party backend. In the context of a video editing skill handling uploaded media, this is particularly sensitive because users may expose private audiovisual data before giving informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal