ClawHub

Ai Video Editor Hindi

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud video editing skill whose external upload and token use match its stated purpose, but users should treat uploaded media as leaving their device.

Install only if you are comfortable with selected videos, audio, images, and generated exports being processed by NemoVideo cloud services. Avoid uploading private or sensitive footage unless you trust the provider, and keep NEMO_TOKEN and raw API logs private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The getting-started prompt invites users to merely share raw footage or vague intent, which can cause the skill to activate on loosely related conversation and immediately begin a cloud-connected workflow. In this skill, accidental invocation is more sensitive because it can lead to media upload and remote processing of potentially private video content.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Trigger examples like 'edit my raw video footage' and 'export 1080p MP4' are generic and could match normal conversation unrelated to this specific skill. Because the skill can create authenticated sessions and process user media through a third-party backend, unintended routing increases privacy and consent risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill routes user videos to a cloud backend and even provisions anonymous tokens, but the user-facing description does not clearly warn that uploaded media leaves the local environment for third-party processing. That omission undermines informed consent and is particularly risky for videos that may contain faces, voices, locations, or other sensitive personal data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal