ClawHub

Tiktok Video Editing With

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real cloud video-editing workflow, but it automatically connects to a third-party service and may send videos and prompts there without clear upfront consent.

Review before installing. Use it only if you are comfortable sending video files, editing prompts, session metadata, and a NEMO_TOKEN or anonymous token to mega-api-prod.nemovideo.ai. Start with non-sensitive clips, avoid private or regulated footage, and watch for account, credit, or subscription effects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly sends uploaded videos and editing prompts to a third-party cloud backend for processing, but the user-facing flow emphasizes convenience and speed rather than obtaining informed consent for remote upload and processing. Because video content often contains personal, biometric, location, or other sensitive data, insufficient disclosure can lead users to share sensitive media without understanding the privacy implications.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The skill uses either an existing environment token or silently acquires an anonymous starter token from a remote service, but this authentication behavior is hidden from the user. While this is not a direct secret-exfiltration mechanism in the text provided, undisclosed account/session creation and token use can surprise users, create unintended linkage to backend accounts, and reduce transparency around who is acting on their behalf.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal