ClawHub

Ai Tools For Video Editing

Security checks across malware telemetry and agentic risk

Overview

This appears to be a cloud video-editing skill that sends user-selected media and prompts to Nemo for processing, which fits its stated purpose but needs privacy-aware use.

Install only if you are comfortable sending selected videos, prompts, and render/session metadata to Nemo's cloud service. Avoid private, client, or confidential footage unless you trust the provider's data handling, and ask the agent to confirm before uploads or exports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The getting-started prompt invites users to broadly 'share your raw video footage' and the example triggers are generic enough that the skill may activate on loosely related editing/upload requests. In a skill that automatically connects to a cloud backend and processes user media, broad invocation increases the chance of unintended activation and accidental transmission of sensitive video content.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table sends 'Everything else' to the SSE/chat action, which is an overly broad catch-all for a networked backend that can modify session state and drive editing actions. This can cause unrelated user text to be forwarded externally, trigger unintended edits, or process sensitive content without sufficiently clear intent, making the ambiguity more dangerous in this cloud-connected media skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown describes cloud processing but does not provide a clear, prominent privacy warning that uploaded media is transmitted to a third-party backend and may persist in remote session/render infrastructure. Because this skill handles raw video footage, which often contains sensitive screen recordings, faces, audio, or confidential material, insufficient disclosure can lead to uninformed user consent and privacy harm.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal