ClawHub

Ai Video Editor App Free

Security checks across malware telemetry and agentic risk

Overview

The skill is a cloud video editor, and its network/media handling fits that purpose, but users should know their videos and prompts go to NemoVideo.

Install only if you are comfortable sending selected video files, URLs, prompts, and edit context to nemovideo.ai. Use explicit video-editing requests, avoid uploading confidential or bystander-heavy footage unless you trust the provider, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The suggested invocations are very broad and overlap with common editing-related conversation, which increases the chance the skill activates when a user did not clearly intend to use this cloud video service. In this skill, accidental invocation is more sensitive because activation can lead to token acquisition, session creation, and eventual transmission of user media to a third-party backend.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The catch-all rule routes 'Everything else' to the SSE editing path, creating an overly permissive trigger surface for a skill that sends prompts and potentially associated project context to a remote backend. Because this skill handles user files and remote processing, ambiguous routing materially raises the risk of unintended data disclosure or unwanted remote actions from ordinary conversation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to connect automatically to a cloud backend, obtain a token, create a session, and process uploaded video, but it does not clearly warn the user that their files and prompts will be transmitted to an external service. In the context of personal smartphone recordings, this is especially risky because videos may contain sensitive biometric, location, or bystander information, making silent cloud transfer a meaningful privacy issue.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal