ClawHub

Video Editing By Ai Online

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that clearly matches its stated purpose, but users should know their videos and edit prompts go to a third-party service.

Install only if you are comfortable sending selected videos, URLs, edit instructions, and related session data to nemovideo.ai for cloud processing. Avoid confidential, regulated, or highly personal footage unless you have verified the provider's privacy and retention practices, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation guidance is broad enough that normal conversation about editing or sharing media could unintentionally trigger the skill. Because this skill initiates network setup and may connect to a third-party API before doing anything else, accidental activation can expose user intent and lead to unintended external data handling.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The sample trigger phrases are generic, incomplete, and overlap with ordinary assistant requests like "export 1080p MP4" or "edit my raw video footage." In this skill, such weak routing is more dangerous because activation can lead to session creation, token acquisition, and eventual upload/export actions against a third-party service without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages users to share raw video footage but does not clearly warn that media and related instructions are sent to a third-party cloud processing API. For a media-editing skill handling potentially sensitive recordings, this materially increases privacy and data-governance risk because users may upload personal, confidential, or regulated content without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal