ClawHub

Ai Video Editor Google Gemini

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-generation skill, but users should understand that prompts, media, and session data may be sent to NemoVideo.

Install only if you are comfortable sending selected media, prompts, and related metadata to NemoVideo's cloud service. Avoid confidential or regulated footage unless you trust that provider, and ask the agent to confirm before creating sessions, uploading files, or starting exports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill includes very generic trigger phrases like "export 1080p MP4" and routes "everything else" to editing actions, which can cause accidental invocation from ordinary conversation rather than clear user consent. In a skill that uploads media and creates remote sessions, ambiguous routing increases the chance of unintended processing and data transfer.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to establish a backend connection and send video/editing requests to a remote API, but the user-facing description does not clearly warn that uploaded media and prompts leave the local environment for third-party processing. Because videos may contain sensitive personal, workplace, or biometric data, this omission undermines informed consent and can lead to privacy and compliance issues.

Natural-Language Policy Violations

Medium
Confidence
85% confidence
Finding
The session creation body hard-codes `"language":"en"`, forcing English regardless of the user's language. This is primarily a safety and correctness issue rather than a direct exploit path, but it can cause misinterpretation of user requests, poor moderation behavior, or incorrect edits for non-English users.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal