ClawHub

Instagram Video Editor Web

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-editing skill, but it has broad activation/routing rules that could send ambiguous user text or media to the cloud without clear confirmation.

Review before installing. Use it only for videos you are comfortable sending to Nemo Video's cloud service, and avoid private or sensitive footage unless the publisher provides clear privacy, retention, and deletion terms. Confirm when the skill is active so ordinary chat or unrelated export requests are not treated as editing commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The suggested invocation phrases are very broad and generic, such as 'edit my video clips' and 'export 1080p MP4', which could match ordinary conversation or unrelated file-handling requests. In an agent environment, this increases the chance of accidental skill activation and unintended transmission of user media or editing instructions to the remote backend.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table includes a catch-all rule that sends 'Everything else' to the SSE editing action, making activation logic ambiguous and overly permissive. This can cause routine user text to be forwarded to a cloud processing backend as editing commands, increasing the risk of unintended actions, privacy leakage, and confusing agent behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill encourages users to 'drop your video clips in the chat' and states it handles editing on cloud GPUs, but it does not provide a clear upfront warning that uploaded media and instructions are transmitted to a third-party cloud backend. Because videos may contain sensitive personal, biometric, or location information, omission of an explicit disclosure materially increases privacy and consent risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal