ClawHub

Ai Video Editor List

Security checks across malware telemetry and agentic risk

Overview

This cloud video-editing skill appears purpose-aligned, but it should be reviewed because it creates remote sessions automatically and can forward broad prompts or media to a third-party backend.

Install only if you are comfortable sending media files, editing prompts, and session data to the NemoVideo cloud service. Use explicit edit/export commands, avoid sensitive media, check credit or subscription impact before export, and keep any NEMO_TOKEN scoped to this service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest and top-level description frame the skill as video clip editing, but the documented accepted inputs include images and audio files. This scope mismatch can mislead users and host platforms about what data types may be uploaded to a third-party backend, weakening informed consent and policy review for non-video content.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to obtain anonymous tokens and establish backend sessions automatically, which introduces credential and session handling behavior beyond simple local media editing. While this may be operationally necessary, doing it silently increases the risk of undisclosed third-party account creation, backend usage, and token misuse if the environment or logs are exposed.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase "edit my video clips" is generic enough to overlap with ordinary user requests, increasing the chance the skill is invoked unintentionally. Accidental invocation matters here because the skill immediately connects to a remote backend and may upload user media for cloud processing.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing rule sends "Everything else" to the SSE action, creating a catch-all path with unclear boundaries. In this skill, that means a wide range of unrelated prompts could be forwarded to a remote service, potentially exposing user text or causing unintended remote operations without clear user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description does not clearly warn that user media and related instructions are uploaded to a cloud backend for processing. Because users may provide sensitive videos, the lack of up-front disclosure undermines informed consent and materially increases privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal