ClawHub

Ai Video Editing With Music

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-editing helper whose network use, uploads, token setup, and session state are aligned with its stated purpose, though users should understand media and prompts go to NemoVideo’s backend.

Install only if you are comfortable sending chosen videos, media URLs, and editing prompts to NemoVideo cloud services. Avoid uploading sensitive personal, biometric, private, or location-revealing footage unless you accept the provider-side processing and session tracking involved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing table sends all unmatched requests to the SSE editing action, which can cause unrelated user inputs to be forwarded to the remote backend. In a skill that uploads media and issues cloud-side editing commands, this increases the chance of unintended processing, privacy leakage, and accidental external requests triggered by ambiguous prompts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup and usage text does not clearly warn users that their uploaded videos are transmitted to and processed by a third-party cloud backend. Because videos may contain sensitive personal, biometric, or location data, failing to disclose remote processing undermines informed consent and creates privacy and compliance risk.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The skill automatically acquires an anonymous token and creates a backend session/account context without clearly informing the user. While this may be operationally convenient, it can surprise users by establishing third-party identifiers and service-side state on their behalf, creating transparency and privacy concerns.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal