ClawHub

Daily Review Editor Free

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill whose upload, token, and remote rendering behavior matches its stated purpose, but users should treat uploaded media as being sent to NemoVideo for processing.

Install only if you are comfortable sending your videos, edit prompts, and generated project state to NemoVideo's cloud backend. Test with non-sensitive footage first, and avoid private, confidential, or regulated recordings unless you trust the service's privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing rule sends essentially all unmatched prompts into the editing/SSE workflow, which can cause the skill to transmit user requests to the external backend even when the user did not clearly intend to invoke remote video processing. In a media-handling skill, this overbroad trigger increases the chance of accidental data disclosure, unintended API usage, and surprise side effects because ambiguous chat input is treated as permission to act.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs users to share footage and uploads media to a third-party backend, but it does not provide a clear user-facing notice that files and related prompts will be transmitted off-platform for cloud processing. For user video content, this is a real privacy and consent issue because recordings may contain sensitive personal, location, or bystander information, and users may not understand where their data is going.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal