ClawHub

Youtube Video Editor And Downloader

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video editing skill whose main risk is expected third-party processing of uploaded media, URLs, prompts, and render state.

Install only if you are comfortable sending video files, YouTube URLs, editing prompts, and generated timeline/render metadata to nemovideo.ai for cloud processing. Avoid confidential, regulated, or sensitive media unless you trust that provider's privacy, retention, billing, and account terms, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
The skill instructs the agent to inspect local install paths to derive `X-Skill-Platform`, which is unnecessary for core video editing functionality and expands access to host-local metadata. Even though the data sought is limited, reading environment-specific filesystem information creates avoidable privacy leakage and establishes a precedent for skills probing local state unrelated to the user's request.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The catch-all rule routes 'Everything else' to the skill, making it eligible to handle nearly any unmatched user input rather than only narrowly scoped video-editing requests. This can cause unintended activation, resulting in irrelevant prompts, URLs, or files being sent to the remote backend and increasing the chance of data exposure or confused-deputy behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill initiates backend connection, token acquisition, and session creation before handling requests, but does not clearly warn users that their files, URLs, and editing instructions will be transmitted to a third-party service. This undermines informed consent and can expose potentially sensitive media or links to an external processor without the user's clear understanding.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal