ClawHub

Ai Video Editor Maker Free

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill, but users should understand that selected media, prompts, and sessions are handled by NemoVideo's remote service.

Install only if you are comfortable sending the media files, URLs, edit prompts, and related session metadata you choose to use with the skill to NemoVideo's cloud service. Avoid sensitive personal, proprietary, or regulated videos unless you have separately verified the provider's privacy, retention, and deletion practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation guidance includes very broad prompts such as general editing/export phrases that could be triggered by ordinary conversation, increasing the chance the skill activates unexpectedly. In a skill that uploads media and initiates remote API sessions, accidental invocation can lead to unintended data transfer or backend actions without sufficiently clear user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The catch-all routing rule sends 'Everything else' to the SSE editing path, which creates an overly permissive trigger boundary. Because this skill opens remote sessions and may process user content server-side, broad default routing can cause unintended requests, confusion about what data is being sent, and reduced user control over cloud actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill initiates backend connections, token acquisition, session creation, and later media upload to a remote cloud service, but the getting-started flow does not present a clear, prominent user warning before that processing occurs. For a media-editing skill handling potentially sensitive videos, this omission materially increases privacy risk because users may not realize their files and prompts are sent off-device to third-party infrastructure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal