ClawHub

Best Video Maker Free

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill that sends chosen media and editing prompts to NemoVideo, with no hidden installer or unrelated local access found.

Install only if you are comfortable sending selected videos, images, audio, URLs, editing prompts, and project state to NemoVideo’s cloud service. Keep NEMO_TOKEN private, avoid confidential or rights-restricted media, and understand that free use depends on credits, token expiry, and possible export limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The routing table sends all unmatched prompts to the SSE endpoint, which is effectively a free-form remote instruction channel to the cloud backend. That increases the chance that unrelated or ambiguous user input, including sensitive text or unintended commands, is transmitted off-platform and acted on without clear scoping or confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to upload media and provide editing instructions, but the user-facing description does not clearly disclose that those files and prompts are sent to a third-party cloud service for processing. This is a privacy and consent problem because users may share personal photos, videos, or audio without understanding the external data transfer.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The metadata declares use of an environment token and the document describes using that bearer credential for all backend requests, but there is no corresponding warning to users or operators about credential scope, storage, or misuse risk. In an agent setting, implicit use of ambient credentials can cause unauthorized third-party API access without informed consent or least-privilege controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal