ClawHub

Video Movie Maker Free Download

Security checks across malware telemetry and agentic risk

Overview

This cloud video-editing skill matches its stated purpose, but users should know that clips and editing instructions are sent to nemovideo.ai.

Install only if you are comfortable sending selected videos, media URLs, edit prompts, and session metadata to nemovideo.ai. Avoid confidential or highly personal footage unless you trust the provider's privacy and retention practices, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The invocation guidance is broad enough that ordinary conversational phrases like sharing clips or casually describing editing goals could unintentionally trigger the skill. Because the skill immediately performs remote setup and may contact external services on first interaction, accidental activation can cause unintended data transmission and API usage without clear user intent.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The catch-all rule routes nearly any non-keyword message into the SSE action, which means unrelated or ambiguous user input can be sent to the backend as an editing command. In this skill, that increases the chance of unintended remote processing, session manipulation, and leakage of user text to a third-party service.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill invites users to upload clips and provide editing instructions but does not prominently warn that both media and prompts are transmitted to a remote cloud API. This undermines informed consent and can expose sensitive videos, audio, and metadata to third-party processing without the user fully understanding where their data is going.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal