ClawHub

Video Editing And Ai

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud video editing skill that sends user-provided videos and prompts to NemoVideo for processing, which is disclosed and aligned with its purpose.

Install only if you are comfortable sending your video files, media URLs, editing prompts, and project state to NemoVideo cloud services. Avoid sensitive, confidential, or copyrighted footage unless you trust the provider's data handling, and treat NEMO_TOKEN as a credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The routing table sends 'Everything else' to the SSE action, which makes the skill eligible to handle a very broad set of prompts beyond narrowly scoped video-editing requests. In a cloud-connected skill that uploads data and sends free-form instructions to a remote backend, overbroad routing increases the chance of accidental invocation, unintended data transmission, and user confusion about which system is processing their request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill prominently encourages users to upload raw footage and describe edits, but the user-facing setup and getting-started text does not clearly warn that videos and prompts are transmitted to a third-party cloud service for processing. Because video files and editing instructions may contain sensitive personal, corporate, or copyrighted content, lack of upfront disclosure undermines informed consent and can lead to inadvertent privacy or compliance exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal