ClawHub

Video Trimmer Mp3

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video editing helper that sends selected videos and prompts to NemoVideo, which is disclosed and aligned with its stated use.

Install only if you are comfortable sending selected videos, editing prompts, and session metadata to mega-api-prod.nemovideo.ai. Avoid confidential, regulated, biometric, corporate, or rights-sensitive media unless you trust that provider’s privacy and retention practices, and keep any NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a simple trim/extract utility, but the body defines a much broader remote video-editing and media-generation workflow with session management, SSE command execution, uploads, state inspection, and export logic. This scope expansion can mislead users and host platforms about what the skill actually does, increasing the chance that users authorize broader cloud actions and data handling than they expected.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Routing 'everything else' to the SSE editing action is overly broad and effectively turns most user input into remote backend commands. In a skill that uploads files and operates against a cloud editing/session API, this increases the risk of unintended actions, over-collection, and surprising networked behavior from vague or unrelated prompts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs automatic connection to a third-party processing API, token acquisition, session creation, and video upload/cloud processing without an upfront privacy or data-transmission warning. Because users may provide personal or sensitive media, silent transfer to a remote service materially increases confidentiality and consent risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal