ClawHub

Ai Video Editor By Text

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill, but users should understand that selected media and text instructions are processed by NemoVideo online.

Install only if you are comfortable sending chosen videos, audio, images, and editing prompts to NemoVideo's cloud service. Avoid confidential or regulated recordings unless you trust the provider's privacy and retention practices, and monitor credit or subscription-related export behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The suggested invocation phrases are very generic (for example, ordinary editing-related language), which increases the chance the skill activates during normal conversation rather than through a clearly intentional request. In a skill that uploads media and connects to a remote backend, accidental invocation can lead to unintended processing of user content and surprise external data disclosure.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The catch-all rule routing 'Everything else' to the SSE editing action is overly broad and can cause unrelated user text to be forwarded to the cloud service as editing commands. Because SSE is the primary path for arbitrary prompts, this increases the risk of unintended remote processing, privacy leakage, and confused-deputy behavior from ambiguous user input.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill description and workflow do not prominently warn users that uploaded videos, media assets, and text instructions are sent to a third-party cloud backend for processing. For a tool handling potentially sensitive recordings, lack of upfront disclosure undermines informed consent and can expose private media or metadata to external services unexpectedly.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal