ClawHub

Video Editing Ai Name

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-editing integration, but users should understand that their videos and prompts are sent to nemovideo.ai for processing.

Install only if you are comfortable with nemovideo.ai receiving uploaded videos, URLs, edit prompts, timeline/session state, and export job data. Review screen recordings for passwords, private chats, internal systems, notifications, and confidential material before upload, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The startup prompt invites users to simply share footage or vague ideas, which is broad enough to cause the skill to activate on loosely related conversation or file-sharing events. In an agent environment, unintended invocation can lead to automatic network calls, token generation, session creation, and transmission of user media to a third-party service without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The routing rule sends "Everything else" to the SSE editing workflow, creating a catch-all path that can treat almost any user message as authorization to contact the backend. Because this skill performs remote processing and may upload or manipulate user media, such a broad trigger materially increases the risk of accidental data disclosure and unintended external actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explains that rendering happens server-side, but it does not provide a prominent, plain-language warning that uploaded videos, prompts, and session data are transmitted to and processed by a remote third-party API. Given that users may upload sensitive screen recordings, the lack of a clear disclosure undermines informed consent and increases privacy risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal