ClawHub

Editor De Video Gratis

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that clearly uses a remote backend, tokens, sessions, uploads, credits, and export APIs in ways that fit its stated purpose.

Install only if you are comfortable sending your video clips, prompts, and render metadata to the NemoVideo cloud service. Use non-sensitive media unless you trust that service, and keep any NEMO_TOKEN limited to this provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as a simple video editor, but its documented behavior includes obtaining authentication tokens, creating backend sessions, and managing account-linked state with a third-party service. This expands the trust boundary well beyond basic file processing and can cause users to unknowingly delegate identity, quota, and session management to an external platform without clear disclosure or consent.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Including credit-balance and account-related actions in a skill whose stated purpose is editing video clips introduces unnecessary access to billing or quota data. Even if read-only, it normalizes account interrogation unrelated to the core task and may expose sensitive usage information or enable deceptive upsell flows.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Routing essentially all unmatched prompts into the editing/SSE action creates an overly broad trigger surface, making it easy for unrelated or ambiguous user input to be sent to the remote backend. This increases the chance of unintended data disclosure, accidental uploads of sensitive instructions, or backend actions occurring without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill does not clearly warn users that uploaded videos and editing prompts are transmitted to a remote cloud service for processing. For a media tool, this omission is significant because videos often contain sensitive personal, biometric, location, or copyrighted content, and users may reasonably expect more prominent disclosure before upload.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal