ClawHub

Video Maker Guru Free

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose remote API use, token handling, media upload, rendering, and export behavior match its stated purpose, though users should treat uploaded media as shared with NemoVideo's service.

Install only if you are comfortable sending video, audio, images, URLs, and editing prompts to NemoVideo's cloud service and using a NEMO_TOKEN or anonymous starter token. Avoid confidential recordings or sensitive account media unless you trust that provider's privacy, retention, and credit/billing practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to automatically use an existing environment bearer token or mint an anonymous token and create a backend session before servicing requests. That expands access beyond simple local video editing into authenticated remote account/session operations, and it does so without clear user consent or tight scoping of token use.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Allowing uploads by arbitrary URL gives the skill a remote-fetch capability not disclosed in the manifest. This broadens the trust boundary and can be abused to make the backend retrieve attacker-controlled resources, which may expose internal URLs, sensitive media links, or unexpected content flows.

Description-Behavior Mismatch

Low
Confidence
76% confidence
Finding
The documented supported formats extend beyond the advertised video-only scope to images and audio. While not severe by itself, this mismatch weakens user understanding of what data the skill may transmit and process remotely, increasing the chance of unintended file exposure.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation examples are broad enough that generic editing requests could activate the skill unexpectedly. Over-broad triggering is risky here because activation leads to remote session establishment and possible media upload to a third-party backend.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The catch-all routing rule sends nearly any non-matched request into the SSE workflow, creating an ambiguous activation path. In this skill, that means loosely related prompts may still be forwarded to a remote service, increasing the chance of unintended data disclosure or backend use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages users to drop video clips into chat and states that processing happens on cloud GPUs, but it does not provide a clear upfront warning that uploaded media is sent to a remote backend service. For user-supplied videos, this omission materially affects informed consent and privacy expectations.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The instructions omit a clear warning that the agent may automatically consume an environment token or create an anonymous account token. Users and deployers may not expect implicit credential use or account creation during a routine editing request.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal