ClawHub

Free Video No

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent cloud video-editing skill, but users should be aware that media and editing prompts may be sent to an external backend.

Install only if you are comfortable with a cloud video editor receiving the videos, attachments, and editing instructions you provide. Before using it with private or sensitive footage, confirm whether uploads require explicit user action, how long remote sessions are retained, and whether there is a way to clear or delete uploaded media and timeline state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The example trigger phrase is extremely generic and can match normal conversational input, increasing the chance the skill activates when the user did not explicitly intend to invoke this video-editing workflow. In a skill that uploads files, creates remote sessions, and calls external APIs, accidental invocation can lead to unintended network actions, privacy exposure of user media, or confusion about why cloud processing started.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing table includes a broad catch-all rule that sends 'Everything else' to the SSE editing backend, meaning unrelated or ambiguous user text may be transmitted to an external service. Because this skill is connected to a cloud render pipeline and persistent session state, overbroad routing increases the risk of unintended remote processing, leakage of user prompts or attached media, and actions being taken without clear user consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal