ClawHub

Video Editor Clips

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill that discloses its external API, token, session, upload, and render behavior; its trigger wording is broad, but there is no evidence of hidden, destructive, or unrelated activity.

Install only if you intend to use NemoVideo's cloud backend. Do not upload private, confidential, or unauthorized media unless you trust the provider's handling of it, and keep NEMO_TOKEN private. Be aware that opening/invoking the skill may create an anonymous token/session before you upload any files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation guidance tells the agent to start when a user merely shares clips or says what they are thinking, which is broad enough to match ordinary conversation and cause unintended invocation. In a skill that automatically connects to a backend and may create anonymous tokens and sessions, accidental activation can trigger network actions and session creation without clear user intent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The example trigger phrases are generic and incomplete, especially phrases like 'export 1080p MP4' and 'trim the clips, add transitions, and', which could overlap with normal discussion or unrelated workflows. Because this skill performs uploads, session management, and rendering actions, ambiguous triggers increase the chance of accidental routing into the skill and unintended external API use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal