ClawHub

Video Editing With Ai Voice

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video-editing helper that openly sends chosen media and edit prompts to NemoVideo for processing, with no hidden install code or destructive behavior found.

Install only if you are comfortable sending selected media files and edit instructions to NemoVideo's cloud service. Avoid confidential, regulated, or highly personal recordings unless you trust the provider's privacy and retention practices, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
79% confidence
Finding
The skill invites activation through very broad language like sending raw footage or loosely describing desired results, which can cause the agent to engage the skill in situations the user did not clearly intend. In a skill that uploads media to remote services and acquires tokens automatically, ambiguous triggering increases the risk of unintended data transmission and side effects.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The catch-all rule routes 'everything else' into the SSE editing path, creating an overly permissive activation surface. Because this path can initiate remote processing and modify session state, broad routing can misclassify unrelated user input and trigger unintended external API actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill clearly states that user media is processed on remote GPU nodes and instructs uploading footage, but it does not present an explicit privacy or data-transmission warning before doing so. This can lead users to share sensitive audio/video content without informed consent about off-device processing, retention, or third-party handling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal