ClawHub

Ai Video Editor Motion Graphics

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill that sends user-selected videos and edit prompts to Nemovideo for remote rendering, with privacy caveats but no evidence of hidden or unrelated behavior.

Install only if you are comfortable sending selected video files and editing instructions to Nemovideo's remote API. Avoid sensitive personal, corporate, or regulated footage unless you have reviewed the provider's privacy, retention, and deletion terms, and prefer a dedicated token rather than reusing credentials tied to other services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill encourages users to upload video clips and send editing instructions to a remote vendor API, but the user-facing getting-started text does not clearly warn up front that media and prompts leave the local environment. This creates a privacy and consent problem because users may disclose sensitive video content, embedded metadata, faces, screens, or proprietary material without realizing third-party transmission occurs automatically.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill auto-provisions a free anonymous token on first interaction if no token is present, but this behavior is not clearly disclosed to the user before network authentication occurs. While lower severity than direct data exfiltration, silently creating and using vendor credentials can violate user expectations, obscure account linkage behavior, and make outbound access happen without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal