ClawHub

In Video Free

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud video editor, but users should review it because it uploads media to an external service and requests token/config access with incomplete disclosure.

Install only if you are comfortable sending selected videos, edit prompts, and related metadata to the NemoVideo cloud backend. Use a limited or anonymous token where possible, avoid granting unexplained local config-directory access, and verify privacy, retention, watermark, credit, and pricing terms before uploading sensitive or important media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill uses broad trigger language like generic video-editing and export requests, which can cause the agent to activate on common user prompts without a clearly bounded scope. In context, that matters because activation leads to remote API use, session creation, and potential media upload/processing, so users may be routed into an external service more often than they reasonably expect.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The getting-started flow invites users to send video clips and immediately instructs the agent to establish a backend connection, but it does not clearly warn users that their media and prompts will be transmitted to a third-party cloud service. Because the skill processes potentially sensitive recordings, this omission undermines informed consent and can expose personal, confidential, or regulated content to external processing unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal