ClawHub

Video Best

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-enhancement skill, but users should understand that media and editing prompts are sent to an external backend.

Install only if you are comfortable sending videos, audio/images, and editing prompts to mega-api-prod.nemovideo.ai for cloud processing. Avoid confidential footage unless you trust the service's privacy and retention practices, and prefer short-lived or disposable NEMO_TOKEN credentials where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The opening prompt encourages users to 'share your raw video footage' or vaguely describe what they want, which makes invocation overlap with ordinary conversation and generic editing requests. Overbroad trigger language can cause accidental activation and unintended transmission of user media or prompts to a third-party backend without sufficiently explicit intent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The example phrase 'enhance my raw video footage' is a common, generic editing request that could match many benign conversations and accidentally route users into this skill. In this context, accidental invocation is more dangerous because the skill automatically connects to a remote service and may initiate token/session creation before the user clearly understands that cloud processing is involved.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill description does not clearly warn users up front that uploaded media is sent to a remote cloud processing backend, even though the body later states that enhancement runs on cloud GPUs and includes automatic backend connection/session creation. Because users may upload personal or sensitive videos, the lack of conspicuous disclosure undermines informed consent and increases privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal