ClawHub

Video Creator Free

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video editor that clearly depends on a remote NemoVideo service, with some privacy and consent points users should notice before use.

Install only if you are comfortable with prompts and any uploaded photos, video, or audio being sent to NemoVideo's cloud backend for processing. Avoid sensitive media unless you trust that provider's privacy and retention practices, and watch for confirmation before uploads, exports, or credit-consuming render jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill invites activation on very broad phrases like generic video creation and editing requests, which can cause it to intercept unrelated user intents. In an agent ecosystem, overbroad invocation increases the chance of unintended backend calls, uploads, or session creation for users who did not specifically choose this skill.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The catch-all rule routing 'Everything else' to the SSE action is overly permissive and effectively makes most unmatched prompts execute remote processing. This can cause unintended transmission of user text and possibly media to the backend, especially when prompts are only loosely related to video editing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically connect to a remote backend and obtain an anonymous token on first open without a clear user-facing notice or consent step. This creates a privacy and network transparency issue because the agent may contact third-party infrastructure and establish a session before the user knowingly approves it.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal