ClawHub

Best Video Editor Free

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud video-editing skill, but it should be reviewed because its instructions can send broad or unrelated user messages to a third-party backend.

Install only if you are comfortable sending clips, audio, editing prompts, and related session data to NemoVideo's cloud service. Use it only for explicit video-editing tasks, avoid private or sensitive footage, and be cautious because broad or unrelated prompts may be routed to the remote editor.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The suggested activation phrases are broad and include generic requests like "export 1080p MP4" and "edit my raw video clips," which could plausibly overlap with ordinary conversation in adjacent contexts. In a skill that uploads media and sends content to a remote backend, over-broad invocation increases the chance of unintended activation and accidental disclosure of user files or editing instructions.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The routing table contains a catch-all rule that sends "Everything else" to the SSE editing action, meaning almost any unmatched user input may be forwarded to the cloud backend. This is dangerous because it can cause unintended remote processing of arbitrary user text, expanding data exposure and making accidental activation much more likely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Although later sections mention server-side processing, the user-facing description does not clearly warn up front that uploaded media and editing prompts are transmitted to a third-party cloud service. For a media-processing skill handling potentially sensitive videos and audio, this omission undermines informed consent and increases privacy risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal